Security Basics mailing list archives
RE: Hardware vs Software Firewall/Router
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 3 Apr 2003 08:50:51 -0800
-----Original Message----- From: nsm () e-paradise net [mailto:nsm () e-paradise net] Sent: April 1, 2003 19:12 To: security-basics () securityfocus com Subject: Hardware vs Software Firewall/Router I work for a consulting company that services businesses with 30 to 200 clients. Our IT Manager likes to use a Linksys, or a 3Com hardware firewall solution. He is also thinking of introducing the Symantec Raptor (I could be incorrect on the name) software solution. We are mostly a windows based firm with little *nix experience, so most software solutions are out already. My reason for posting is: I would like to provide a valid argument for not using a software solution, and making our hardware solutions a little more upscale, say PIX, Nokia, Checkpoint etc. The IT managers argument is that he finds far less vulnerabilities in the software solutions or the Linksys and 3Com than what he does in the PIX etc. I am of course familiar with all of the basic differences, I am more so looking for valid argumentative points. Any input would be greatly appreciated.
Well, let's see. First of all, Checkpoint IS a software solution. Nokia is Checkpoint in an "appliance" package; Checkpoint's SecurePlatform offering is a hardened Linux distro with their software on it. (The strongest argument against "software" firewalls is that they may inherit vulnerabilities from the underlying general-purpose OS, and both Nokia and SecurePlatform address that. Microsoft's Proxy Server, for instance, required not just NT 4.0 but also *IIS* to be installed first so it could re-use components from that; I'm not sure that their ISA product doesn't have similar requirements.) NetScreen and PIX are other popular "appliance" firewalls, where the OS is not general-purpose or exposed. Between them, Checkpoint (including Nokia), NetScreen and PIX account for the bulk of the firewall market. (i.e., Other IT managers have found their arguments persuasive....) Raptor is probably #4. It takes a bit different approach to *how* to secure network communications, and for larger firms I would have some concerns that its performance is not likely to scale well. The LinkSys routers I've used have been adequate for a SOHO network, and that's what Cisco recently bought them for. I don't consider them a "real firewall" -- in fact, the way they misuse common firewall terminology leaves me in some doubt that the company could or would build a real firewall box. I would probably not consider them even for the low-end of your customer base, preferring something like a NetScreen-5. I have not seen an actual 3com router in 5 years. The company *can* build great products, but has not always done so. David Gillett ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- Hardware vs Software Firewall/Router nsm (Apr 02)
- RE: Hardware vs Software Firewall/Router David Gillett (Apr 04)
- Re: Hardware vs Software Firewall/Router Xaos (Apr 04)
- <Possible follow-ups>
- Re: Hardware vs Software Firewall/Router James Lee Gromoll (Apr 03)
- Re: Hardware vs Software Firewall/Router Jim Miller @ Cox (Apr 04)
- Re: Hardware vs Software Firewall/Router David Vertie (Apr 04)
- RE: Hardware vs Software Firewall/Router Chris Berry (Apr 04)