Firewall Wizards mailing list archives
Re: Firewall: dedicated equipament x Unix workstation
From: David Bonn <David.Bonn () watchguard com>
Date: Fri, 2 Oct 1998 13:01:39 -0700
"Carlos" == Carlos Henrique Bauer <bauer () atlas unisinos tche br> writes:
Carlos> Some people believe that firewalls running in a dedicated network Carlos> device are more secure than the ones running on a generic Unix Carlos> workstation. Carlos> Is that true, a myth or just a matter of taste? I've got biases because I profit from firewalls as a dedicated network device. I'll make some bald assertions that I think most people will agree with: o One can best avoid security risks associated with a piece of software by not using that piece of software. o The difficulty of evaluating the security of a system increases very rapidly as the complexity of the system increases. o Factors contributing to the complexity of a system are: size of the code ("lines" of code, instructions, whatever), number of subsystems, number of interfaces between subsystems, number of vendors. o You can't do an evaluation of the security of a system if you can't vet the source code. o Knowable risks are generally better than unknowable risks. These are all motherhood and apple-pie issues. I don't think it is reasonable to compare apples to oranges, so comparing a packet filtering router to a Unix box running a bunch of application gateways probably doesn't make a whole lot of sense. Let's look at it from a vendor perspective. The vendor of a firewall appliance likely has all of the source code, from device drivers to operating system kernel (obviously they have sources to all of their firewall software too), so they are in a position to at least evaluate security risks. Appliance vendors also have an economic incentive to keep the firewall code as small as possible, since this directly reduces the cost of goods (larger flash rams rapidly get more expensive, although this argument is much softer with hard disk drives). On the other hand, a host-based firewall has a much bigger set of risks. Evaluating the host operating system is much more problematic (how many host-based firewall vendors vetted the operating systems they run under?). Device drivers make this worse, since the set of drivers is potentially quite large and even more difficult to evaluate. Keeping current with security patches may well require the customer to integrate patches from two or more vendors. So the vendors ought to be vetting those patches too. The situation doesn't scale very well. My $.02. Like I said, I'm biased. David Bonn, CTO WatchGuard Technologies, Inc. david.bonn () watchguard com
Current thread:
- Firewall: dedicated equipament x Unix workstation Carlos Henrique Bauer (Oct 02)
- Re: Firewall: dedicated equipament x Unix workstation David Bonn (Oct 05)
- Re: Firewall: dedicated equipament x Unix workstation Joseph S. D. Yao (Oct 05)
- <Possible follow-ups>
- Re: Firewall: dedicated equipament x Unix workstation Ryan Russell (Oct 05)
- RE: Firewall: dedicated equipament x Unix workstation Gary Crumrine (Oct 05)
- RE: Firewall: dedicated equipment x Unix workstation Frank Willoughby (Oct 06)
- Re: Firewall: dedicated equipament x Unix workstation Matthew Patton (Oct 13)
- Re: Firewall: dedicated equipament x Unix workstation sedwards (Oct 14)