Firewall Wizards mailing list archives
RE: Firewall: dedicated equipment x Unix workstation
From: Gary Crumrine <gcrum () us-state gov>
Date: Tue, 6 Oct 1998 08:55:44 -0400
I totally agree with all of your points Frank. Perhaps I should have prefaced my comments with a "For small business looking for some protection". Forgive me for having my eyes trained at the small targets. I just have some empathy for them. In today's marketplace, the numbers of small guys doing business on the net is very high, and growing. But unfortunately, only a very small percentage of them use any form protection, many relying on what the ISP is or isn't providing. So from their perspective it makes a lot of sense. Not everyone has the budget to do things the "Right" way. The truly sad thing is that it is this segment of the market that cannot usually recover from a major wipeout, and quickly fail. They are the ones that need it the most, but can afford it the least. All that said, with today's' manpower and skills shortages, the likelihood of change anytime soon is very small. I truly believe that the market is going to drive R&D in this direction whether we feel this is the "right" or wrong way of doing it. It all comes down to who has the money to spend and how fat is their wallets. The future is going to be so radically different than what it is today, that you may in the future see this as a totally different market segment, with radically different products being produced that are aimed at their specific needs. And yes, when it comes to CPU cycles, today's hardware offerings would produce bottlenecks, but I am not talking about high volume operations here, and with technology creep, and faster CPUs coming on line every 6 to 8 months, this becomes a shrinking problem. Today's R&D is tomorrows products. The vendors that can pull this off will reap large benefits down the road. JMHO Gary -----Original Message----- From: Frank Willoughby [SMTP:frankw () in net] Sent: Tuesday, October 06, 1998 2:00 AM To: Gary Crumrine Cc: firewall-wizards () nfr net Subject: RE: Firewall: dedicated equipment x Unix workstation Gary Crumrine brought up some good points in his mail.
The wisdom from the past used to point that way, but I have had a change in heart lately. After trying to convince clients that they need a box for a firewall, a box for virus checking, a box for intrusion detection, a box for RAS dialin, a box for a mail server,
a
box for a web server, and a box for an auth server for VPNs... yadda yadda yadda.. their eyes just glaze over and they walk away mumbling to themselves. There we go shooting ourselves in the foot again.
Gary's idea makes sense from a user perspective. It can save a lot of money in hardware, software, and sysadmin costs. Unfortunately, there also a couple of issues which need to be examined. As the firewall is in series between the Internet and the company's network, it is also a single-point-of-failure. Assuming that the firewall isn't vulnerable to other attacks (including Denial- Of-Service (DOS), then the additional functionalities/apps may actually *decrease* the level of security and performance otherwise afforded by the firewall. Here are a couple of implementation issues that should be examined before trying to integrate everything into the firewall: o Performance. CPU cycles spent on <insert application here> are CPU cycles that aren't spent on firewalling. This slows down the network connections. At some point, an additional firewall may be needed for load balancing to make up for the lower performance (so we really didn't gain anything here). o Security. From a security perspective, a firewall should be a dedicated box. Anything not directly related to firewalling should be removed from the system. The reason is that each additional application presents a potential avenue for an attacker to launch a DOS attack against the firewall, or exploit a vulnerability in the application that might permit the attacker to seize control of the firewall. o Interoperability. Some things may work well together on the same box, others won't. Placing the different applications on different boxes reduces the chances that one application will interfere with another. It also reduces potential downtime trying to troubleshoot problems that the customer won't be able to solve. o What is the vendor's core competence? If it is a firewall vendor, then their anti-virus software probably won't be as good as an anti-virus vendor's. Even if the vendor acquired the application vendor's companies, getting the engineering teams to work well together won't be easy. o It adds to the complexity of testing. This alone will probably drive most firewall vendors crazy. Final Quality Assurance Testing for firewalls is very complex and difficult enough to do right (many don't do it right). Adding a half a dozen or two applications on the firewall only makes things worse. Will Application A introduce a potential security problem, impact the firewall's performance, cause a resource conflict, or a race condition? What if Application A causes an exception? If so, how will it affect the firewall's security & performance? o The increased complexity may double (or more) the Final QA Test time - delaying the software's release date. This will probably go over like a lead balloon with the marketing folks who are really set on getting the product out the door yesterday. o Who do you contact for support when something goes wrong? Is it the firewall's fault, <Application A vendor> or <Application B vendor>, hardware problems, interoperability problems, or any combination thereof? What will you do if a problem can't be easily traced to a particular application and each vendor says it is the other vendor's problem - not theirs? o Going further, who is going to step up to the plate and make everything work together (and stand behind it)? Can the above-mentioned applications be integrated into the firewall? Sure. Would you want to? Maybe, maybe not. Not being a glutton for punishment, I would rather avoid the issue and not try to be all things to all people. Do one thing, do it well. Most companies have little knowledge about security and have placed their trust in the vendors to do their job right. If the InfoSec vendors try to be all things to all people, they may compromise the security of their product (and the organizations who use their product). Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. (c) Fortified Networks, Inc. - http://www.fortified.com/ Home of the Free Internet Firewall Evaluation Checklist Expert (vendor-neutral) Computer and Network Security Solutions Fixed Price Contracts - Expert Information Security Officers Phone: (317) 573-0800 Fax: (317) 573-0817
Current thread:
- RE: Firewall: dedicated equipment x Unix workstation Gary Crumrine (Oct 06)