Firewall Wizards mailing list archives
RE: Proverbial appliance vs software based firewall
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 26 Oct 2002 13:58:19 -0400
Jared Valentine wrote:
John Pescatore (VP @ Gartner) wrote a good report/article on just this subject. "Software security is soft security: Hardware is required."
What constantly boggles my mind is that anyone takes Gartner's pronouncements on security seriously... They're so ignorant they have no idea how ignorant they are. You've got to understand that most of the input into Gartner is from briefings arranged by the marketing departments of companies that are paying them to listen to their briefings. Basically, Garter sits at the apex of the hype food-chain; they consume pure hype and produce little sh&t-pellets of hype that is as dense as neutronium. Remember, these are the guys who get all excited and talk about revolutionary new technologies like "intrusion prevention" without realizing that it's just a buzz-word for stuff that has been around for ages. They're idiots.
"Throwing more security software at a security problem that is caused by the essentially insecure nature of software is like going to a blind barber-it can only end badly and, more likely than not, bloodily."
Cute turn of phrase but what's he really saying? He's saying he doesn't know what software is. And he probably doesn't know what hardware is either. He appears to think that buggy code only exists on hard disks, and doesn't realize that buggy code can also get compiled down into FPGAs or strongARM processors or coprocessors or whatever.
While it is correct that all security comes down to "software" at some point, I would argue that hardware is much more secure. The difference between the two is that the hardware manufacturer can build off of a trusted base/OS. They can look at the OS line by line and strip out everything not essential for the operating of that firewall.
Go stand in the corner with Pescatore. ;) The difference between the two is that usually, memory-space in hardware devices is _expensive_ and manufacturers don't want to run bloat-ware like UNIX kernels in it. So they use smaller kernels like VXworks or QNX or whatever. But there's a kernel (that's "software", see?) running down in there, you betcha. Do they look at the OS line by line? Hell no. Do they strip out security flaws? Hell no. If they're using QNX or VXworks, they are using an OS that was designed to run in tight real-estate and consequently was made modular so that you don't automatically get a lot of stuff you don't NEED. This is unlike UNIX or Windows or (worse) Linux - where the kitchen sink is not only included, but it's bolted to the wall - and when you take the sink out because you didn't need it, the wall falls over. In other words, those realtime operating environments are "secure" BY ACCIDENT in the cases where they are, in fact, secure. They also appear to be more secure because they're obscure and weird and hackers generally don't waste the time attacking them because there's not much to do with them once you've gotten into them. But any security that happens in these cases is because the operating environment (that's "software" that "boots" on the "embedded processor" often from read-only memory or flash so it can be upgraded) But it's _ALL_ software. Basically, what's going on here is that having a "hardware" "appliance" lets people sweep upgrade problems under the rug and pretend that they don't need to worry about it. Think of it this way - when you buy a firewall that's got its firewalling logic blown into ROM, are you REALLY happy with that? What if some new attack comes out that the firewall doesn't protect you against? OOPS! Well, you'll upgrade it, if you're smart. But it'll be a software upgrade. Code, written in C, just like all the other firewalls. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proverbial appliance vs software based firewall, (continued)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 15)
- Re: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Ryan M. Ferris (Oct 15)
- Re: Proverbial appliance vs software based firewall Volker Tanger (Oct 16)
- Re: Proverbial appliance vs software based firewall Christopher Hicks (Oct 16)
- Re: Proverbial appliance vs software based firewall Paul D. Robertson (Oct 16)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)