Re: RE: firewall-wizards digest, Vol 1 #79 - 2 msgs appliance firewall

[Mikael Olsson <mikael.olsson () enternet se>]

Paul Gerry wrote (off-list; forwarded with permission)
> [snip] I certainly wasn't trying to snipe anyone or load up 
> my response.  In fact I never mentioned NetScreen in my e-mail.

Ah, no, but since you were arguing for ASICs, coupled with your
number-one marketing point being that your products make use 
of them, sort of makes it all an argument for your own product ;)

> Anyway to answer your question Netscreen's are flash upgradeable.  If a new
> attack is discovered we create a firmware file that a user can use to flash
> their NetScreen firewall.  That's all there is to it.  Firewall policy look
> up and data encryption for VPN happens in the ASIC.  This is where Netscreen
> gains the performance advantage.

All in the interest of learning... not to simply be argumentative
or a pain in the b*tt..

1. There's people that tend to follow the logical(?) chain 
   "appliance -> not a computer -> no software -> 
    there's nothing that can go wrong -> gotta be a lot better", 
   which .. well .. let's just say that I don't really like it ;)

2. A whole bunch of us readers here on this list are
   _very_ paranoid when it comes to 

I'd like to argue that it's still not an "appliance" the same way a 
hub or repeater is, now is it? Storage medium is a moot point -- Cisco
PIX for instance uses flash storage for its executables and config
files, but it still runs on an x86 processor.

See, my point is that is still doesn't get any more "appliance"
than, for instance, Cisco PIX or the Nokia IP series. At least
not in the way that a hub or toaster does; they're pretty
much bugproof -- unless you got one of those fancy models
with a built-in web server, that is :P

Evidently, ASICs are faster than your run-of-the-mill x86
clone CPU, but, well, can you actually refute that
it's still a "CPU" running "software"? 

(Here's where the paranioa part comes in...)

If too much is done in the ASICs (which are fairly static?), 
you won't be able to upgrade those parts.
If there's a lot of software (gets involved with the actual 
per-packet processing), it's still "software designed for packet 
shuffling". 

Having more software is (imho) a good thing, provided
that it is WELL WRITTEN of course. If too much logic is 
tied up into the ICs, you won't be able to change it
in the future, right?

So... which way is it? :)

Regards,
Mikael Olsson

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

On bosses and technology: "There are bosses who don't know, and there 
are bosses that don't know that they don't know" /Anonymous techie

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards