Re: Proverbial appliance vs software based firewall

["Marcus J. Ranum" <mjr () ranum com>]

Ryan M. Ferris wrote:
> I think what is missing here  from this discussion is a more serious debate
> on the inherent security differences between monolithic kernels and
> micro-kernels. Or perhaps real-time versus non-real time OS.

There hasn't been a lot of discussion around those issues
because there's not a lot of "there" there. "microkernels" are
mostly marketing hype, not a real technology. Nowadays, the
hardware abstraction layers for physical devices probably
represent more code than the entire V7 UNIX kernel. So what
should we call QNX? a "pico kernel"? ;)  See? It's just marketing.

The real question is complexity and management of complexity.
In _theory_ non-monolithic kernels are less complex, but in fact
what you've done is just shuffled the complexity around into
another place. So what if the filesystem is a separate process
from the scheduler, VM system, and IP stack? You still depend on
it just as much, and you've now got the additional worry of
making sure that the channel between kernel modules is tamper
proof _AND_ fast. Basically, you can't win. What happens is
that when security is applied to a non-monolithic kernel all
the developers heave a sigh of relief and conclude that security
is no longer THEIR PROBLEM and write the usual crap code.

> I agree "Appliance" is a meaningless term - I've worked on three different
> appliances each with a different version of a different customized
> monolithic kernel OS (W2K SAK, RH Linux 7.0, OpenBSD). Someone could ship
> you embedded NT in a toaster oven and call it secure.

Worse things than that have been done. Folks have shipped
"appliances" as "secure" that were running stock FreeBSD.
I even saw one hardware device that was running a lightened-up
version of Linux - including wu-ftpd with a million holes
you could march an army through...  It's just marketing.

> What is not meaningless to security and function is kernel size,
> functionality, hardware access levels.

I believe that for a given amount of functionality you'll
need approximately a constant amount of code, regardless of
where you squish it around. And we've all seen studies that
show that error-rates per k-line of code are fairly constant
and shockingly high. Hardware access controls can help but
are often sacrificed in the interest of performance. Sure,
you could make a modular (note I did not say "micro-") kernel
that used message passing between components and you could
use the MMU to protect the messages, etc, but it'd be slower
than the guys who didn't do it that way, and it'd get slated
for addition in the next release (a nice way of saying "it'll
never happen") ;)

> You are an NSA Analyst, monitoring traffic from multiple backbones that has
> be "muxed" or results from the parallel mirroring, spanning of many WDM
> optical switches - i.e. terabit amounts of information flow. The distributed
> systems needed to process such traffic on PC based sytems would be immense
> in number. You would probably opt for hardware based solutions as they would
> be more easily centralized.

Huh? Why do you say hardware can be more easily centralized?
Centralization/management/etc functions are almost always written
in software that runs on the hardware. Sure, you might be using a
c00l new ASIC but it's gonna be running software on it, written
probably in C, most likely on a tight deadline, and almost
certainly with the same error rate/k-line of code as most other
software.

> You are a major corporation (50K computer users) that wants a single  or
> minimum access points for all proxied or firewalled traffic. How could you
> use a PC based firewall for this purpose without using many firewalls?

Do you understand that all firewalls are written in software?
I bet they're all written in C. Maybe they're burned into an
ASIC someplace but that just makes it impossible to fix the
bugs in the burned-in code. :)  I've seen ASIC-based security
solutions that do some parts (e.g.: traffic collection) with the
ASICs but the higher level firewall functions are loaded from
flash memory. I.e.: they're software. They just don't run off a
hard disk and come with an install-shield script.

I think you believe too much marketing.

mjr.
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards