Firewall Wizards mailing list archives

Re: Firewall: dedicated equipament x Unix workstation

From: David Bonn <David.Bonn () watchguard com>
Date: Fri, 2 Oct 1998 13:01:39 -0700

"Carlos" == Carlos Henrique Bauer <bauer () atlas unisinos tche br> writes:


Carlos> Some people believe that firewalls running in a dedicated network
Carlos> device are more secure than the ones running on a generic Unix
Carlos> workstation.

Carlos> Is that true, a myth or just a matter of taste?

I've got biases because I profit from firewalls as a dedicated network
device.  I'll make some bald assertions that I think most people will
agree with:

 o One can best avoid security risks associated with a piece of
   software by not using that piece of software.

 o The difficulty of evaluating the security of a system increases
   very rapidly as the complexity of the system increases.

 o Factors contributing to the complexity of a system are:  size
   of the code ("lines" of code, instructions, whatever), number of
   subsystems, number of interfaces between subsystems, number of
   vendors.

 o You can't do an evaluation of the security of a system if you
   can't vet the source code.

 o Knowable risks are generally better than unknowable risks.

These are all motherhood and apple-pie issues.  I don't think it is
reasonable to compare apples to oranges, so comparing a packet
filtering router to a Unix box running a bunch of application gateways 
probably doesn't make a whole lot of sense.

Let's look at it from a vendor perspective.  The vendor of a firewall
appliance likely has all of the source code, from device drivers to
operating system kernel (obviously they have sources to all of their
firewall software too), so they are in a position to at least evaluate 
security risks.  Appliance vendors also have an economic incentive to
keep the firewall code as small as possible, since this directly
reduces the cost of goods (larger flash rams rapidly get more
expensive, although this argument is much softer with hard disk
drives).

On the other hand, a host-based firewall has a much bigger set of
risks.  Evaluating the host operating system is much more problematic
(how many host-based firewall vendors vetted the operating systems they
run under?).  Device drivers make this worse, since the set of drivers 
is potentially quite large and even more difficult to evaluate.
Keeping current with security patches may well require the customer to 
integrate patches from two or more vendors.  So the vendors ought to
be vetting those patches too.  The situation doesn't scale very
well.

My $.02.  Like I said, I'm biased.

David Bonn, CTO
WatchGuard Technologies, Inc.
david.bonn () watchguard com

Current thread:

Firewall: dedicated equipament x Unix workstation Carlos Henrique Bauer (Oct 02)
- Re: Firewall: dedicated equipament x Unix workstation David Bonn (Oct 05)
- Re: Firewall: dedicated equipament x Unix workstation Joseph S. D. Yao (Oct 05)
- <Possible follow-ups>
- Re: Firewall: dedicated equipament x Unix workstation Ryan Russell (Oct 05)
- RE: Firewall: dedicated equipament x Unix workstation Gary Crumrine (Oct 05)
  - RE: Firewall: dedicated equipment x Unix workstation Frank Willoughby (Oct 06)
- Re: Firewall: dedicated equipament x Unix workstation Matthew Patton (Oct 13)
  - Re: Firewall: dedicated equipament x Unix workstation sedwards (Oct 14)