RE: Software/Hardware Firewall

["David Gillett" <gillettdavid () fhda edu>]

  One of the problems with the "hardware vs. software firewall"
debate (which rears its head on a regular basis) is that the
distinction is rarely clearly understood by those posing the
question (and often also by those attempting to answer it!).

  There are at least three distinctions that may be drawn
between different firewall implementations that *might* appear
to be "hardware vs. software":

1.  Firewall applications that run purely in software (e.g., FW-1,
PIX, etc) versus those that offload some tasks to custom ASIC
silicon (as (some of?) NetScreen's products (claim to) do).  This
is the version of the question you've attempted to answer here,
although some of NetScreen's claims appear to dispute the answer
you've offered.  (Clearly *some* of NetScreen's functionality is
implemented in updatable firmware/software, so I do not know of
any PURE hardware solutions.)
  Part of the power of digital technology is that functions which
would be quite challenging to implement purely in hardware can
often be implemented much less expensively in software.  (In
absolute terms, the software implementation is rarely as fast as
specialized hardware could be, but as long as it's fast *enough*,
the cost saving tends to win.)
  So this variation of the question is rarely very interesting
to discuss.

2.  "Desktop firewall applications" that run directly on the
host, as opposed to firewall boxes in the network which
function as routers (or, occasionally, bridges).  i.e., should
the firewall process run on its own box ("dedicated hardware")?
  There are really two parts to this question.  Protecting each
machine individually seems to work well in home or individual-user
environments, but does not scale well to networks of thousands
of machines.  So in most cases the environment of use dictates
whether this is an acceptable solution or not.
  The other piece of this question, though, is a specific case
of a third general interpretation of the "hardware vs. software"
question....

3.  Firewall applications that run on top of a general-purpose
OS and hardware (e.g., CheckPoint FW-1 on Solaris, Windows, or
Linux) versus firewall applications preinstalled with custom OS
on possibly custom hardware (e.g. PIX, FW-1 on Nokia or switch
blades, etc.)  i.e., do you buy/license the firewall as software
to run on standard hardware/OS you provide, or as a preconfigured
hardened box ("piece of hardware")?
  Desktop firewall applications (see 2) always fall into the first
of these alternatives, but with dedicated hardware you have a choice.
  Specialized hardware and OS platforms are expensive for several
reasons.  They require the firewall manufacturer to engage in (and
excel at!) a wider variety of tasks than a software-only approach,
and manufacturing costs cannot be recouped using economies of scale
because the market is rather limited.
  On the other hand, a firewall implementation that relies on
general-purpose hardware and OS support may inherit vulnerabilities
from those components that the firewall vendor may not be able to
anticipate, or to fix.
  THIS is where you get into an interesting set of trade-offs, where
differences in manufacturer quality and customer priorities can lead
to very different recommendations for networks of similar size and
topology.

David Gillett



> -----Original Message-----
> From: thedistance [mailto:thedistance () 1thedistance com]
> Sent: April 17, 2003 10:22
> To: jpastore () idetech net
> Cc: security-basics () securityfocus com
> Subject: Re: Software/Hardware Firewall
>
>
> Actually, correct me if I'm wrong, but all firewalls are
> software. It's just
> some are packaged with specific hardware packages. This is
> true for Cisco
> Pix, Netscreen, and I believe the Watch Guard as well as
> others. The only
> difference is that the software is customized for specific
> hardware and the
> software has limited interaction with the end user. A
> hardware firewall
> would be a dangerous beast since once an exploit is found you
> would have to
> purchase a new device or send it in to be refitted. I believe the
> differences are more clearly expressed in terms of
> "Prepackaged Firewall"
> and "Build your own Firewall"
>
>
> td
>
>
> I've never cared hardware versus software, as long as the job
> got done.
> I mean technically you would have less problems with hardware
> (someone's
> going to flame me for that) the reason I say this is I have a dell
> server using iptables with 2 nics and you would think everything would
> be fine...well the driver that kudzu picked was deprecated by Red Hat
> and I had this problem where something got over flowed or hung
> ...whatever... and iptables said I can't deal with this let
> the packets
> FLOW...all goes back to this deprecated driver...if it's deprecated
> remove it...I understand leaving in nslookup but drivers? Come on that
> was a potential bad problem that we were lucky we found first...
>
> Anyway we're purchasing a Watch Guard Firebox 1000 this thing seems
> pretty kewl...
>
> Jon Pastore, President
> IDE Tech, Inc.
> (954) 360-0393 Office
> (954) 428-0442 Fax
>
>
>
> On 4/16/03 2:43 PM, "Jon Pastore" <jpastore () idetech net> wrote:
>
> > security-basics () securityfocus com
>
> --
> thedistance
>
>
>
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> world's premier event for IT and network security experts.
> The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> sales pitches.  Deadline for the best rates is April 25.
> Register today to
> ensure your place.
http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------