Firewall Wizards mailing list archives
Re: Proverbial appliance vs software based firewall
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Mon, 28 Oct 2002 08:43:57 +0100 (CET)
Hi all! MJR wrote:
Jared Valentine wrote:
"Throwing more security software at a security problem that is caused by the essentially insecure nature of software is like going to a blind barber-it can only end badly and, more likely than not, bloodily."Cute turn of phrase but what's he really saying? He's saying he doesn't know what software is. And he probably doesn't know what hardware is either. He appears to think that buggy code only exists on hard disks, and doesn't realize that buggy code can also get compiled down into FPGAs or strongARM processors or coprocessors or whatever.While it is correct that all security comes down to "software" at some point, I would argue that hardware is much more secure. The difference between the two is that the hardware manufacturer can build off of a trusted base/OS. They can look at the OS line by line and strip out everything not essential for the operating of that firewall.Go stand in the corner with Pescatore. ;)
A point that IMHO is still missing in this discussion is the funny impression that you just need to sit down with an empty file in your text editor and you could go and write a mature _and_ secure implementation of TCP/IP from scratch. It just needs to be small, the hardware vendor is in control of everything - do you really believe your average hardware/ appliance manufacturer is competent enough to do that? Let me explain: As we are proven over and over again implementing these protocols is definitely non-trivial. And - as shown by new funny ways of exploiting stateful inspection firewalls (fragmentation tricks, partial ACK with carefully crafted buffers, ...) - the firewall _must_ have a _complete_ understanding of all protocols in question. If you ignore application level checking of content (HTTP/HTM validation anyone?) completely, that leaves at least all of IP, TCP, UDP in the game. *fetching Stevens, Volume II* ... Berkeley Net/3 is about 15,000 lines of code total. I seriously doubt that anyone can reimplement that in an order of magnitude less code. 15,000 lines - all controlled by the appliance vendor, yeah. And all programmers are as smart as Van Jacobson, ... And they will get everything correct the first time that took Kahn, VJ, and all the other brilliant minds years to solve. Just look at how long and painful the process of reimplementing the IP stack was for the Linux crowd. 3 implementations - or are we counting 4 already? That means at least 2 complete make-overs to get it right. I'd pick an application level gateway based on a general purpose OS with a BSD based IP implementaion over something that is called "embedded" or "appliance" or "micro-blah" any time. Doesn't it feel good to know, that _they_ got tcp_input() right and you don't need to worry about partial ACKs or some such, when writing your application level proxy? Regards, Patrick M. Hausen Technical Director -- punkt.de GmbH Internet - Dienstleistungen - Beratung Scheffelstr. 17 a Tel. 0721 9109 -0 Fax: -100 76135 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proverbial appliance vs software based firewall, (continued)
- Re: Proverbial appliance vs software based firewall Volker Tanger (Oct 16)
- Re: Proverbial appliance vs software based firewall Christopher Hicks (Oct 16)
- Re: Proverbial appliance vs software based firewall Paul D. Robertson (Oct 16)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 16)