Security Basics mailing list archives
Re: Software/Hardware Firewall
From: D K <dk1088 () hotmail com>
Date: 18 Apr 2003 12:42:19 -0000
In-Reply-To: <00bd01c30512$4b6fe380$6e811299@gillett> I do appreciate the information, and the opinions expressed. Informative and enlightening. However, :) , I was actually looking for a separate answer to my question, but was obviously a bit unclear. My concern is not for the choice of hardware vs. software for an implementation, home or office, but rather a question of are there specific vulnerabilities to running software on top of OS related firewalls (ZoneAlarm...etc.). I do understand that if a vulnerability is discovered in an appliance (say a SonicWall), that it then requires a release from the manufacturer to fix, and your vulerability stays until said fix is produced (and hopefully, you have something else to workaround said vuln.). I also understand that if a similar issue is discovered with a software on top of OS firewall, you will still be waiting for a fix from the software maker. I am simply trying to determine which is theorhetically the greater risk. If both are equally open to actual firewall vulnerabilities, but the software-on-top- of-OS is ALSO susceptible to OS vulnerabilities, then the question is easily answered in theory. (Yes, do both!) That is the information I am looking for with this long-winded, roundabout question. Are there any specific happenings where software-on-OS firewalls have had OS vulnerabilities exploited to bypass the firewall? Most hardware (appliance-type) firewalls have well documented (not always by the manufacturer, though!) problems that have been fixed in the past with firmware upgrades. I hope I have been a little less mud-like in my clarity this time! And thank you each for responding.
Received: (qmail 29927 invoked from network); 17 Apr 2003 22:19:28 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 17 Apr 2003 22:19:28 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id 339F6A30CC; Thu, 17 Apr 2003 16:10:56 -0600 (MDT) Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 346 invoked from network); 17 Apr 2003 18:32:28 -0000 Reply-To: <gillettdavid () fhda edu> From: "David Gillett" <gillettdavid () fhda edu> To: <security-basics () securityfocus com> Subject: RE: Software/Hardware Firewall Date: Thu, 17 Apr 2003 11:51:01 -0700 Message-ID: <00bd01c30512$4b6fe380$6e811299@gillett> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal In-Reply-To: <BAC44CFA.2C4C%thedistance () 1thedistance com> One of the problems with the "hardware vs. software firewall" debate (which rears its head on a regular basis) is that the distinction is rarely clearly understood by those posing the question (and often also by those attempting to answer it!). There are at least three distinctions that may be drawn between different firewall implementations that *might* appear to be "hardware vs. software": 1. Firewall applications that run purely in software (e.g., FW-1, PIX, etc) versus those that offload some tasks to custom ASIC silicon (as (some of?) NetScreen's products (claim to) do). This is the version of the question you've attempted to answer here, although some of NetScreen's claims appear to dispute the answer you've offered. (Clearly *some* of NetScreen's functionality is implemented in updatable firmware/software, so I do not know of any PURE hardware solutions.) Part of the power of digital technology is that functions which would be quite challenging to implement purely in hardware can often be implemented much less expensively in software. (In absolute terms, the software implementation is rarely as fast as specialized hardware could be, but as long as it's fast *enough*, the cost saving tends to win.) So this variation of the question is rarely very interesting to discuss. 2. "Desktop firewall applications" that run directly on the host, as opposed to firewall boxes in the network which function as routers (or, occasionally, bridges). i.e., should the firewall process run on its own box ("dedicated hardware")? There are really two parts to this question. Protecting each machine individually seems to work well in home or individual-user environments, but does not scale well to networks of thousands of machines. So in most cases the environment of use dictates whether this is an acceptable solution or not. The other piece of this question, though, is a specific case of a third general interpretation of the "hardware vs. software" question.... 3. Firewall applications that run on top of a general-purpose OS and hardware (e.g., CheckPoint FW-1 on Solaris, Windows, or Linux) versus firewall applications preinstalled with custom OS on possibly custom hardware (e.g. PIX, FW-1 on Nokia or switch blades, etc.) i.e., do you buy/license the firewall as software to run on standard hardware/OS you provide, or as a preconfigured hardened box ("piece of hardware")? Desktop firewall applications (see 2) always fall into the first of these alternatives, but with dedicated hardware you have a choice. Specialized hardware and OS platforms are expensive for several reasons. They require the firewall manufacturer to engage in (and excel at!) a wider variety of tasks than a software-only approach, and manufacturing costs cannot be recouped using economies of scale because the market is rather limited. On the other hand, a firewall implementation that relies on general-purpose hardware and OS support may inherit vulnerabilities from those components that the firewall vendor may not be able to anticipate, or to fix. THIS is where you get into an interesting set of trade-offs, where differences in manufacturer quality and customer priorities can lead to very different recommendations for networks of similar size and topology. David Gillett-----Original Message----- From: thedistance [mailto:thedistance () 1thedistance com] Sent: April 17, 2003 10:22 To: jpastore () idetech net Cc: security-basics () securityfocus com Subject: Re: Software/Hardware Firewall Actually, correct me if I'm wrong, but all firewalls are software. It's just some are packaged with specific hardware packages. This is true for Cisco Pix, Netscreen, and I believe the Watch Guard as well as others. The only difference is that the software is customized for specific hardware and the software has limited interaction with the end user. A hardware firewall would be a dangerous beast since once an exploit is found you would have to purchase a new device or send it in to be refitted. I believe the differences are more clearly expressed in terms of "Prepackaged Firewall" and "Build your own Firewall" td I've never cared hardware versus software, as long as the job got done. I mean technically you would have less problems with hardware (someone's going to flame me for that) the reason I say this is I have a dell server using iptables with 2 nics and you would think everything would be fine...well the driver that kudzu picked was deprecated by Red Hat and I had this problem where something got over flowed or hung ...whatever... and iptables said I can't deal with this let the packets FLOW...all goes back to this deprecated driver...if it's deprecated remove it...I understand leaving in nslookup but drivers? Come on that was a potential bad problem that we were lucky we found first... Anyway we're purchasing a Watch Guard Firebox 1000 this thing seems pretty kewl... Jon Pastore, President IDE Tech, Inc. (954) 360-0393 Office (954) 428-0442 Fax On 4/16/03 2:43 PM, "Jon Pastore" <jpastore () idetech net> wrote:security-basics () securityfocus com-- thedistance -------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place.http://www.securityfocus.com/BlackHat-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Software/Hardware Firewall D K (Apr 15)
- RE: Software/Hardware Firewall Jon Pastore (Apr 17)
- Re: Software/Hardware Firewall thedistance (Apr 17)
- RE: Software/Hardware Firewall Jon Pastore (Apr 17)
- RE: Software/Hardware Firewall David Gillett (Apr 17)
- Re: Software/Hardware Firewall thedistance (Apr 17)
- <Possible follow-ups>
- Re: Software/Hardware Firewall D K (Apr 21)
- RE: Software/Hardware Firewall Jon Pastore (Apr 17)