Dedicated vs "shared use" firewalls

[forrestc () IMACH COM (Forrest W. Christian)]

I hope this is the right forum for this, but what brought this up was the
entire Raptor discussion.

The way I understand raptor is that it is code that runs on NT.  This
makes me really queasy for reasons to be discussed below.

When I recommend a firewall solution, the core of the recommendation is
that the firewall run on hardware which is dedicated to the firewall and
that all non-firewall network functionality is either disabled or
removed.   I personally usually recommend a FreeBSD-based NAT/ipfw
solution which I have developed if cost is a concern to the user.  I have
also recommended Cisco PIX and several other options for larger clients.

I worry about firewall solutions which are generally implemented on
systems which themselves may or may not be secure.   For example, some of
the solaris/unix-based firewalls make me nervous because people tend to
run them on the same solaris box they have web, mail, and other solutions
on.   I worry along the same lines about any NT solutions as I do not feel
secure about the underlying NT os architecture and the services which may
be running on an NT box.

I'm also paranoid enough that I usually will either restrict
administrative access to the firewall to "physical connectivity"- ala the
console or console port, or via a very very strict set of ips.  If I can't
restrict the IP range, or at least restrict it to "inside" users, I do not
enable the telnet service.   Thus insuring that in most cases at least the
administrative part of the firewall won't be compromised.

In the FreeBSD solution I sell, I run a very stripped down kernel
(actually PicoBSD) which has very very little stuff in it.   In fact, the
box doesn't have any open, listening IP ports.

So, maybe to draw this to a close and to ask my real question here I can
just say this:

I am certain that the security of the underlying OS/security of the
configuration of the underlying system is VERY important to the security
of the firewall.

So, that said, is it possible that NT (or pick any OS) based-firewalls are
generally less secure than say, a PIX box, because the underlying OS is
inherrently less secure?  Does anyone have any data (or real life
experience) to back this up?   Does the tendency of NT to install/enable
services "by itself" pose a real security threat?   Or, maybe better put,
what seems to be the consensus on firewalls running on any given OS (as
opposed to a certain firewall product)?

- Forrest W. Christian (forrestc () imach com) KD7EHZ
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------