Security Basics mailing list archives

RE: Hardware vs Software Firewall/Router

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 3 Apr 2003 08:50:51 -0800

-----Original Message-----
From: nsm () e-paradise net [mailto:nsm () e-paradise net]
Sent: April 1, 2003 19:12
To: security-basics () securityfocus com
Subject: Hardware vs Software Firewall/Router

I work for a consulting company that services businesses with
30 to 200  clients. Our IT Manager likes to use a Linksys, or
a 3Com hardware  firewall solution. He is also thinking of
introducing the Symantec Raptor  (I could be incorrect on the
name) software solution. We are mostly a  windows based firm
with little *nix experience, so most software  solutions are
out already.  My reason for posting is:  I would like to
provide a valid argument for not using a software  solution,
and making our hardware solutions a little more upscale,
say  PIX, Nokia, Checkpoint etc. The IT managers argument is
that he finds far  less vulnerabilities in the software
solutions or the Linksys and 3Com  than what he does in the
PIX etc.  I am of course familiar with all of the basic
differences, I am more so  looking for valid argumentative
points.  Any input would be greatly appreciated.


  Well, let's see.

  First of all, Checkpoint IS a software solution.  Nokia is
Checkpoint in an "appliance" package; Checkpoint's SecurePlatform
offering is a hardened Linux distro with their software on it.
(The strongest argument against "software" firewalls is that they
may inherit vulnerabilities from the underlying general-purpose
OS, and both Nokia and SecurePlatform address that.  Microsoft's
Proxy Server, for instance, required not just NT 4.0 but also
*IIS* to be installed first so it could re-use components from
that; I'm not sure that their ISA product doesn't have similar
requirements.)
  NetScreen and PIX are other popular "appliance" firewalls, where
the OS is not general-purpose or exposed.  Between them, Checkpoint
(including Nokia), NetScreen and PIX account for the bulk of the
firewall market.  (i.e., Other IT managers have found their arguments
persuasive....)
  Raptor is probably #4.  It takes a bit different approach to *how*
to secure network communications, and for larger firms I would have
some concerns that its performance is not likely to scale well.

  The LinkSys routers I've used have been adequate for a SOHO network,
and that's what Cisco recently bought them for.  I don't consider
them a "real firewall" -- in fact, the way they misuse common firewall
terminology leaves me in some doubt that the company could or would
build a real firewall box.  I would probably not consider them even
for the low-end of your customer base, preferring something like a
NetScreen-5.

  I have not seen an actual 3com router in 5 years.  The company
*can* build great products, but has not always done so.

David Gillett



-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics

Current thread:

Hardware vs Software Firewall/Router nsm (Apr 02)
- RE: Hardware vs Software Firewall/Router David Gillett (Apr 04)
- Re: Hardware vs Software Firewall/Router Xaos (Apr 04)
- <Possible follow-ups>
- Re: Hardware vs Software Firewall/Router James Lee Gromoll (Apr 03)
  - Re: Hardware vs Software Firewall/Router Jim Miller @ Cox (Apr 04)
- Re: Hardware vs Software Firewall/Router David Vertie (Apr 04)
- RE: Hardware vs Software Firewall/Router Chris Berry (Apr 04)