Re: Software/Hardware Firewall

[D K <dk1088 () hotmail com>]

In-Reply-To: <00bd01c30512$4b6fe380$6e811299@gillett>

I do appreciate the information, and the opinions expressed. Informative 
and enlightening. However, :) , I was actually looking for a separate 
answer to my question, but was obviously a bit unclear.  My concern is not 
for the choice of hardware vs. software for an implementation, home or 
office, but rather a question of are there specific vulnerabilities to 
running software on top of OS related firewalls (ZoneAlarm...etc.).  I do 
understand that if a vulnerability is discovered in an appliance (say a 
SonicWall), that it then requires a release from the manufacturer to fix, 
and your vulerability stays until said fix is produced (and hopefully, you 
have something else to workaround said vuln.).  I also understand that if 
a similar issue is discovered with a software on top of OS firewall, you 
will still be waiting for a fix from the software maker.  I am simply 
trying to determine which is theorhetically the greater risk.  If both are 
equally open to actual firewall vulnerabilities, but the software-on-top-
of-OS is ALSO susceptible to OS vulnerabilities, then the question is 
easily answered in theory. (Yes, do both!) That is the information I am 
looking for with this long-winded, roundabout question.  Are there any 
specific happenings where software-on-OS firewalls have had OS 
vulnerabilities exploited to bypass the firewall?  Most hardware 
(appliance-type) firewalls have well documented (not always by the 
manufacturer, though!) problems that have been fixed in the past with 
firmware upgrades.

I hope I have been a little less mud-like in my clarity this time!  And 
thank you each for responding.


> Received: (qmail 29927 invoked from network); 17 Apr 2003 22:19:28 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 17 Apr 2003 22:19:28 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 339F6A30CC; Thu, 17 Apr 2003 16:10:56 -0600 (MDT)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 346 invoked from network); 17 Apr 2003 18:32:28 -0000
> Reply-To: <gillettdavid () fhda edu>
> From: "David Gillett" <gillettdavid () fhda edu>
> To: <security-basics () securityfocus com>
> Subject: RE: Software/Hardware Firewall
> Date: Thu, 17 Apr 2003 11:51:01 -0700
> Message-ID: <00bd01c30512$4b6fe380$6e811299@gillett>
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Importance: Normal
> In-Reply-To: <BAC44CFA.2C4C%thedistance () 1thedistance com>
>
>  One of the problems with the "hardware vs. software firewall"
> debate (which rears its head on a regular basis) is that the
> distinction is rarely clearly understood by those posing the
> question (and often also by those attempting to answer it!).
>
>  There are at least three distinctions that may be drawn
> between different firewall implementations that *might* appear
> to be "hardware vs. software":
>
> 1.  Firewall applications that run purely in software (e.g., FW-1,
> PIX, etc) versus those that offload some tasks to custom ASIC
> silicon (as (some of?) NetScreen's products (claim to) do).  This
> is the version of the question you've attempted to answer here,
> although some of NetScreen's claims appear to dispute the answer
> you've offered.  (Clearly *some* of NetScreen's functionality is
> implemented in updatable firmware/software, so I do not know of
> any PURE hardware solutions.)
>  Part of the power of digital technology is that functions which
> would be quite challenging to implement purely in hardware can
> often be implemented much less expensively in software.  (In
> absolute terms, the software implementation is rarely as fast as
> specialized hardware could be, but as long as it's fast *enough*,
> the cost saving tends to win.)
>  So this variation of the question is rarely very interesting
> to discuss.
>
> 2.  "Desktop firewall applications" that run directly on the
> host, as opposed to firewall boxes in the network which
> function as routers (or, occasionally, bridges).  i.e., should
> the firewall process run on its own box ("dedicated hardware")?
>  There are really two parts to this question.  Protecting each
> machine individually seems to work well in home or individual-user
> environments, but does not scale well to networks of thousands
> of machines.  So in most cases the environment of use dictates
> whether this is an acceptable solution or not.
>  The other piece of this question, though, is a specific case
> of a third general interpretation of the "hardware vs. software"
> question....
>
> 3.  Firewall applications that run on top of a general-purpose
> OS and hardware (e.g., CheckPoint FW-1 on Solaris, Windows, or
> Linux) versus firewall applications preinstalled with custom OS
> on possibly custom hardware (e.g. PIX, FW-1 on Nokia or switch
> blades, etc.)  i.e., do you buy/license the firewall as software
> to run on standard hardware/OS you provide, or as a preconfigured
> hardened box ("piece of hardware")?
>  Desktop firewall applications (see 2) always fall into the first
> of these alternatives, but with dedicated hardware you have a choice.
>  Specialized hardware and OS platforms are expensive for several
> reasons.  They require the firewall manufacturer to engage in (and
> excel at!) a wider variety of tasks than a software-only approach,
> and manufacturing costs cannot be recouped using economies of scale
> because the market is rather limited.
>  On the other hand, a firewall implementation that relies on
> general-purpose hardware and OS support may inherit vulnerabilities
> from those components that the firewall vendor may not be able to
> anticipate, or to fix.
>  THIS is where you get into an interesting set of trade-offs, where
> differences in manufacturer quality and customer priorities can lead
> to very different recommendations for networks of similar size and
> topology.
>
> David Gillett
>
>
>
> > -----Original Message-----
> > From: thedistance [mailto:thedistance () 1thedistance com]
> > Sent: April 17, 2003 10:22
> > To: jpastore () idetech net
> > Cc: security-basics () securityfocus com
> > Subject: Re: Software/Hardware Firewall
> >
> >
> > Actually, correct me if I'm wrong, but all firewalls are
> > software. It's just
> > some are packaged with specific hardware packages. This is
> > true for Cisco
> > Pix, Netscreen, and I believe the Watch Guard as well as
> > others. The only
> > difference is that the software is customized for specific
> > hardware and the
> > software has limited interaction with the end user. A
> > hardware firewall
> > would be a dangerous beast since once an exploit is found you
> > would have to
> > purchase a new device or send it in to be refitted. I believe the
> > differences are more clearly expressed in terms of
> > "Prepackaged Firewall"
> > and "Build your own Firewall"
> >
> >
> > td
> >
> >
> > I've never cared hardware versus software, as long as the job
> > got done.
> > I mean technically you would have less problems with hardware
> > (someone's
> > going to flame me for that) the reason I say this is I have a dell
> > server using iptables with 2 nics and you would think everything would
> > be fine...well the driver that kudzu picked was deprecated by Red Hat
> > and I had this problem where something got over flowed or hung
> > ...whatever... and iptables said I can't deal with this let
> > the packets
> > FLOW...all goes back to this deprecated driver...if it's deprecated
> > remove it...I understand leaving in nslookup but drivers? Come on that
> > was a potential bad problem that we were lucky we found first...
> >
> > Anyway we're purchasing a Watch Guard Firebox 1000 this thing seems
> > pretty kewl...
> >
> > Jon Pastore, President
> > IDE Tech, Inc.
> > (954) 360-0393 Office
> > (954) 428-0442 Fax
> >
> >
> >
> > On 4/16/03 2:43 PM, "Jon Pastore" <jpastore () idetech net> wrote:
> >
> > > security-basics () securityfocus com
> >
> > --
> > thedistance
> >
> >
> >
> > --------------------------------------------------------------
> > -------------
> > Attend Black Hat Briefings & Training Europe, May 12-15 in
> > Amsterdam, the
> > world's premier event for IT and network security experts.
> > The two-day
> > Training features 6 hand-on courses on May 12-13 taught by
> > professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers
> > with no vendor
> > sales pitches.  Deadline for the best rates is April 25.
> > Register today to
> > ensure your place.
> http://www.securityfocus.com/BlackHat-security-basics
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
-
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
> world's premier event for IT and network security experts.  The two-day 
> Training features 6 hand-on courses on May 12-13 taught by 
professionals.  
> The two-day Briefings on May 14-15 features 24 top speakers with no 
vendor 
> sales pitches.  Deadline for the best rates is April 25.  Register today 
to 
> ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
> --------------------------------------------------------------------------
--
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------