Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proverbial appliance vs software based firewall

From: "James Maher" <James.Maher () ird govt nz>
Date: Tue, 15 Oct 2002 16:39:56 +1300

Well....

I think it is also a case of being able to keep the box in a state that is secure.
I have found it a nightmare to maintain Solaris boxes that are hardened, and one always feels that although they nay 
have been hardened well originally are they still as secure?
And how can you be sure etc...
It just generates a great deal of admin overhead which can in turn result in less secure boxes rather than more secure 
ones.

just my tuppence worth
That said I would still not choose a FW-1 system as I do not believe it has a transparent enough security model (too 
many implied/secret rules aka black magic, "well it is working now but I am b#$%^ed if I know how I got it into this 
state" ;-)
maybe I need a holiday


PS sorry for flicking this at you origanlly and not the list Mikeal mind not able to multitask
;-)


Mikael Olsson <mikael.olsson () clavister com> 10/15/02 07:31a.m. >>>


Dominic Malig wrote:


[...] appliance vs software firewall 'which is better' [...]


Given that we tout both software packages and appliances, I think I 
can authoratively say that there is virtually zero difference between 
the concepts.  For _our_ stuff, the only difference is that we know 
beforehand that the software works reasonably well with the hardware.

So, a generalistic discussion about software/appliance is
pretty much a moot point.

Now, if you want to discuss pros and cons of software/appliance for
specific firewall vendors, I'm sure we can come up with more 
interesting points.  For instance, I believe that most people will
get a more secure solution if they buy FW-1 on a Nokia box, rather
than setting FW-1 up on Solaris, or (horror!) NT for that matter.
Why?  I believe Nokia does a good job of hardening their boxes; likely
a better job than most people can do hardening Solaris/NT boxes. That is 
not to say that someone really clueful can't harden a Solaris box better, 
given enough time, but that's generally speaking not the case.

On the other hand, I'd say that f.i. FW-1/Gauntlet/Raptor on NT has 
better chances of securing your network properly than, for instance,
a "Netgear broadband router with firewall functionality", even though 
the latter is an appliance.


... want me to keep ranting? :)

/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com 

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com 
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: