Firewall Wizards mailing list archives
Re: Proverbial appliance vs software based firewall
From: "James Maher" <James.Maher () ird govt nz>
Date: Tue, 15 Oct 2002 16:39:56 +1300
Well.... I think it is also a case of being able to keep the box in a state that is secure. I have found it a nightmare to maintain Solaris boxes that are hardened, and one always feels that although they nay have been hardened well originally are they still as secure? And how can you be sure etc... It just generates a great deal of admin overhead which can in turn result in less secure boxes rather than more secure ones. just my tuppence worth That said I would still not choose a FW-1 system as I do not believe it has a transparent enough security model (too many implied/secret rules aka black magic, "well it is working now but I am b#$%^ed if I know how I got it into this state" ;-) maybe I need a holiday PS sorry for flicking this at you origanlly and not the list Mikeal mind not able to multitask ;-)
Mikael Olsson <mikael.olsson () clavister com> 10/15/02 07:31a.m. >>>
Dominic Malig wrote:
[...] appliance vs software firewall 'which is better' [...]
Given that we tout both software packages and appliances, I think I can authoratively say that there is virtually zero difference between the concepts. For _our_ stuff, the only difference is that we know beforehand that the software works reasonably well with the hardware. So, a generalistic discussion about software/appliance is pretty much a moot point. Now, if you want to discuss pros and cons of software/appliance for specific firewall vendors, I'm sure we can come up with more interesting points. For instance, I believe that most people will get a more secure solution if they buy FW-1 on a Nokia box, rather than setting FW-1 up on Solaris, or (horror!) NT for that matter. Why? I believe Nokia does a good job of hardening their boxes; likely a better job than most people can do hardening Solaris/NT boxes. That is not to say that someone really clueful can't harden a Solaris box better, given enough time, but that's generally speaking not the case. On the other hand, I'd say that f.i. FW-1/Gauntlet/Raptor on NT has better chances of securing your network properly than, for instance, a "Netgear broadband router with firewall functionality", even though the latter is an appliance. ... want me to keep ranting? :) /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Proverbial appliance vs software based firewall, (continued)
- RE: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 28)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 28)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) Mikael Olsson (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) David Lang (Oct 30)
- RE: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 16)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 16)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 16)