Firewall Wizards mailing list archives
dedicated vs. ordinary unix workstations
From: "Perry E. Metzger" <perry () piermont com>
Date: 05 Oct 1998 12:05:10 -0400
A stripped Unix workstation is no worse than most average dedicated "hardware". Why? Because "dedicated hardware" isn't. That is to say, if it speaks a complicated network protocol (say, TCP/IP), most of the complexity on that box is in the software, not in the chips. Calling it "dedicated hardware" is deceptive -- you are really talking about a box running a proprietary operating system, which is in all likelyhood not particularly less complex or particularly better written than a non-proprietary one. Given this, the "stripped unix box" vs. "proprietary operating system" question looks very different from the way the question was originally framed. Myself, I happily run high security applications (firewalls and such) on stripped-down NetBSD boxes. Why? Well, for one thing, having the kernel source, I can do stuff like make sure that source routes don't work by stripping the code physically out of the kernel to prevent accidents from ever occurring. If I find that I'm unhappy with the way anything on the system works, I can fix it (and often have), and when bugs are found, I can fix them quickly or get fixes for them. A stripped down box -- one that is listening on few if any ports at all, and is only listening with highly stripped down servers that are easy to audit -- seems to be pretty solid in the sort of security it can provide. "Dedicated hardware", as I noted, in the end means a weird computer running a proprietary operating system. I can't check if the thing does the right thing with certain edge conditions I'm worried about without treating it like a black box for testing. I can't fix bugs, and I have to take the manufacturers word on how the thing works. I know some claims were made here earlier by some that no one ever looked at the TIS FWTK code when they got it, but I sure did, and I often altered the code to improve or tune the security of the system. My experiences with that lead me to not want to go back to having to trust the maker of the tools I am using. Maybe I'm an oddity, but that's the way I am. Anyway, in summary, I believe a properly stripped unix system can be as secure or even more secure than a proprietary OS running on proprietary hardware, when used in security critical work like building a firewall. Perry
Current thread:
- dedicated vs. ordinary unix workstations Perry E. Metzger (Oct 05)