Re: Firewall Throughput

[Patrick Darden <darden () armc org>]

On Tue, 12 Sep 2000, Darren Reed wrote:

> > "Cisco push it along the lines of 'you don't want unix/windows on your
> > firewall because they're crashable'"
> >
> > I would like to know where they state that.  It would be pretty
> > hypocritical as the PIX has a Unix based OS (Plan 9).
>
> http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm
> Look for the words "Non-Unix" (strictly speaking, this *is* true even if
> it is Plan 9).


Hmmm, the PIX is similar to the Nokia FW1 boxes in that they are hardened
Unix derivatives, cut to the quick, performance enhanced, with ip
filtering, stateful connection monitoring, and packet inspection.

I find it interesting that they intimate bad things about Unix's security
and performance, but only flat out state bad things about general purpose
operating systems:

"This design eliminates the risks associated with a general purpose
operating system... (allowing the pix) to deliver outstanding
performance".

They are walking a fine line here.  I would venture to say that they have
even crossed it.


> They're different, they need a marketting angle, they drive it.
>
> > "You damn well don't want a router as a firewall"
> >
> > I don't know of many firewalls that aren't routers as well, that includes
> > the IP Filter you seem to like so much and even the BSD-based NOKIA
> > running Checkpoint FW1.  Application-layer proxy based firewalls usually
> > aren't routers, but otherwise...
>
> Router = thing which tftp's boot images, does BGP4, has no hard disk, etc.
> Or to put it more succinctly in this thread, a Cisco 1234 thing.


That is not a good definition of a router.  Routers do not have to boot
via tftp, and they don't do it by default.  Routers don't even have to use
BGP4.  The RFPs that define routers don't really mention any of
this....  I know I am just being picky--you were just letting off steam.


> and likewise you shouldn't use routers to do firewalling when you're
> serious about firewalling.


I think we agree here, but I'll be picky again.

Firewalls on routers have their place.  I believe in a multi-layered
approach to security, and the first layer is having a well protected
router that provides ingress/egress filtering (e.g. to prevent DDOS).

They certainly should not be solely relied upon.

 
> If I'm really serious about security then I *will* use/recommend a proxy
> firewall, even in addition to anything else which is there.  There are
> some things they offer which just can't be matched, in terms of security,
> by any packet-filtering based firewall.


Again, I think we agree.  An application proxy on a hardened host, behind
a good stateful packet filter, is a tremendous security boost.


> Do yourself a favour and stay ignorant of the development methodology
> that goes on "behind the scenes" with Linux.  What are they now,
> 2.4.pre34-test83, and still making major architectural changes inside it.
> That's *insane*.  Sure, Solaris is stable, but you can't strap it down
> as securely as you can BSD, plus you get source code for BSD.


I'm aware of the procedure, and I also know that Linus put a freeze on new
features months ago.  He does not make major new architectural changes to
the betas, and very rarely to the alphas.

I agree that BSD is a great Unix.  However, I am not holy enough to state
it is the best, and I really try to stay out of these religious debates.


-- 
--
--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards