Firewall Wizards mailing list archives
Re: Proverbial appliance vs software based firewall
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 26 Oct 2002 13:24:38 -0400
Ryan M. Ferris wrote:
I think what is missing here from this discussion is a more serious debate on the inherent security differences between monolithic kernels and micro-kernels. Or perhaps real-time versus non-real time OS.
There hasn't been a lot of discussion around those issues because there's not a lot of "there" there. "microkernels" are mostly marketing hype, not a real technology. Nowadays, the hardware abstraction layers for physical devices probably represent more code than the entire V7 UNIX kernel. So what should we call QNX? a "pico kernel"? ;) See? It's just marketing. The real question is complexity and management of complexity. In _theory_ non-monolithic kernels are less complex, but in fact what you've done is just shuffled the complexity around into another place. So what if the filesystem is a separate process from the scheduler, VM system, and IP stack? You still depend on it just as much, and you've now got the additional worry of making sure that the channel between kernel modules is tamper proof _AND_ fast. Basically, you can't win. What happens is that when security is applied to a non-monolithic kernel all the developers heave a sigh of relief and conclude that security is no longer THEIR PROBLEM and write the usual crap code.
I agree "Appliance" is a meaningless term - I've worked on three different appliances each with a different version of a different customized monolithic kernel OS (W2K SAK, RH Linux 7.0, OpenBSD). Someone could ship you embedded NT in a toaster oven and call it secure.
Worse things than that have been done. Folks have shipped "appliances" as "secure" that were running stock FreeBSD. I even saw one hardware device that was running a lightened-up version of Linux - including wu-ftpd with a million holes you could march an army through... It's just marketing.
What is not meaningless to security and function is kernel size, functionality, hardware access levels.
I believe that for a given amount of functionality you'll need approximately a constant amount of code, regardless of where you squish it around. And we've all seen studies that show that error-rates per k-line of code are fairly constant and shockingly high. Hardware access controls can help but are often sacrificed in the interest of performance. Sure, you could make a modular (note I did not say "micro-") kernel that used message passing between components and you could use the MMU to protect the messages, etc, but it'd be slower than the guys who didn't do it that way, and it'd get slated for addition in the next release (a nice way of saying "it'll never happen") ;)
You are an NSA Analyst, monitoring traffic from multiple backbones that has be "muxed" or results from the parallel mirroring, spanning of many WDM optical switches - i.e. terabit amounts of information flow. The distributed systems needed to process such traffic on PC based sytems would be immense in number. You would probably opt for hardware based solutions as they would be more easily centralized.
Huh? Why do you say hardware can be more easily centralized? Centralization/management/etc functions are almost always written in software that runs on the hardware. Sure, you might be using a c00l new ASIC but it's gonna be running software on it, written probably in C, most likely on a tight deadline, and almost certainly with the same error rate/k-line of code as most other software.
You are a major corporation (50K computer users) that wants a single or minimum access points for all proxied or firewalled traffic. How could you use a PC based firewall for this purpose without using many firewalls?
Do you understand that all firewalls are written in software? I bet they're all written in C. Maybe they're burned into an ASIC someplace but that just makes it impossible to fix the bugs in the burned-in code. :) I've seen ASIC-based security solutions that do some parts (e.g.: traffic collection) with the ASICs but the higher level firewall functions are loaded from flash memory. I.e.: they're software. They just don't run off a hard disk and come with an install-shield script. I think you believe too much marketing. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Proverbial appliance vs software based firewall, (continued)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 15)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 15)
- Re: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Ryan M. Ferris (Oct 15)
- Re: Proverbial appliance vs software based firewall Volker Tanger (Oct 16)
- Re: Proverbial appliance vs software based firewall Christopher Hicks (Oct 16)
- Re: Proverbial appliance vs software based firewall Paul D. Robertson (Oct 16)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 15)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)