Firewall Wizards mailing list archives
Re: Proverbial appliance vs software based firewall
From: "Ryan M. Ferris" <rferris () rmfdevelopment com>
Date: Tue, 15 Oct 2002 11:06:36 -0700
I think what is missing here from this discussion is a more serious debate on the inherent security differences between monolithic kernels and micro-kernels. Or perhaps real-time versus non-real time OS. I agree "Appliance" is a meaningless term - I've worked on three different appliances each with a different version of a different customized monolithic kernel OS (W2K SAK, RH Linux 7.0, OpenBSD). Someone could ship you embedded NT in a toaster oven and call it secure. What is not meaningless to security and function is kernel size, functionality, hardware access levels. Gigabit throughput is still best achieved by a switched bus architecture and custom ASICS or other real-time micro-kernel OS. The shared bus archictecture of even the fastest PCS and gigabit NICs will never be a match for dedicated hardware in processing traffic. There are many security applications where monolithic kernels /non-real time OS will just not be appropriate: You can tick them off in a big list but imagine some critical scenarios: You are an NSA Analyst, monitoring traffic from multiple backbones that has be "muxed" or results from the parallel mirroring, spanning of many WDM optical switches - i.e. terabit amounts of information flow. The distributed systems needed to process such traffic on PC based sytems would be immense in number. You would probably opt for hardware based solutions as they would be more easily centralized. You are a major corporation (50K computer users) that wants a single or minimum access points for all proxied or firewalled traffic. How could you use a PC based firewall for this purpose without using many firewalls? Part of your security requirement is the ability to handle multiple flooding type attacks (i.e. DOS, RDOS, DDOS, etc) with low risk of reboot or network congestion. What you opt for is gigabit switch architecture in your firewall not a shared bus PC architecture because you don't believe a Gigabit NIC on a shared bus archictecture can outperform an ASIC. Obviously, the question becomes more confusing when you start putting $ 16K NICS with their own OS and memory into a PC. Ryan M. Ferris rferris () rmfdevelopment com Ryan M. Ferris rferris () rmfdevelopment com ----- Original Message ----- From: "Gary Flynn" <flynngn () jmu edu> To: <firewall-wizards () honor icsalabs com> Sent: Tuesday, October 15, 2002 9:27 AM Subject: Re: [fw-wiz] Proverbial appliance vs software based firewall
Anton Aylward wrote:On Tue, 2002-10-15 at 00:26, Jared Valentine wrote:While it is correct that all security comes down to "software" at some point, I would argue that hardware is much more secure. The
difference
between the two is that the hardware manufacturer can build off of a
trusted
base/OS. They can look at the OS line by line and strip out
everything not
essential for the operating of that firewall.So could some customers and they could do it with their specific needs in mind.I think that you "DON'T GET" Marcus's comment. Hardware in this sense is still software - embedded systems. Nothing in the Gartner paper contradicts that.Another way of looking at it is the difference between software installed and configured by the vendor vs software installed and configured by the customer...or maybe even proprietary vs open source (sorry, couldn't resist). The effectiveness probably depends on the needs and capabilities of the target market. I'm sure NSA would like the opportunity to inspect and tune their own kernel and OS configuration while a small company consisting mostly of web developers would rather leave that chore to the vendor (and therefore trust them with their security). One could make similar arguments either way for "appliance" web servers, mail servers, or other turn-key systems. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proverbial appliance "Its software, Jim!", (continued)
- Re: Proverbial appliance "Its software, Jim!" Anton Aylward (Oct 17)
- Re: Proverbial appliance "Its software, Jim!" Paul D. Robertson (Oct 17)
- Re: Proverbial appliance "Its software, Jim!" Mike Frantzen (Oct 17)
- Re: Proverbial appliance "Its software, Jim!" Stephen D. B. Wolthusen (Oct 17)
- Re: Proverbial appliance "Its software, Jim!" Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance "Its software, Jim!" Anton Aylward (Oct 17)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 15)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 15)
- Re: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Ryan M. Ferris (Oct 15)
- Re: Proverbial appliance vs software based firewall Volker Tanger (Oct 16)
- Re: Proverbial appliance vs software based firewall Christopher Hicks (Oct 16)
- Re: Proverbial appliance vs software based firewall Paul D. Robertson (Oct 16)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)