RE: Proverbial appliance vs software based firewall

["Jared Valentine" <hidden () xmission com>]

The real question then:  What did Dominic really mean by "software"
firewall.  I assumed the question was around "host-based personal firewalls"
(BlackICE, ZoneAlarm, Tiny, etc.) as opposed to a "perimeter firewall"
(Raptor, Sidewinder, Sonicwall, Netscreen, etc.)

I agree wholeheartedly with your comments as they relate to perimeter
firewalls.  I would surely hope that my perimeter firewall vendor
replaces/modifies the TCP/IP stack, limits the box to firewall-only tasks,
chooses a good base OS, hardens that OS, checks the source code, etc. etc.
Hardware/software... the security you get from that device probably won't
vary much between the two.  It's all software.  You might get better
performance out of hardware - but everyone has argued that the relative
security of either solution is comparable.

If we take the same question and look at it in the light of "host-based
personal firewalls", then I would tend to argue in favor of hardware.

> I agree that using a "trusted OS" would not be a bad idea - but it
> will only address part of the problem. In my opinion when you look at
> a firewall - regardless of whether it is an "appliance" or a
> "software based" product you have to consider the whole system. You
> need to consider what steps have been taken to address operating
> system issues, how does the policy engine and the stack handle all
> types of connection attempts, how does the firewall interface with
> the operating system - just to name a few.

I'll pick on the Windows world, although these comments potentially apply
for any operating system that has a personal firewall.  The problem with the
"whole system" in a host-based firewall world is the untrusted base OS -
Windows.  I return to viruses like Bugbear and Pentagoner, as well as trojan
horses like OptixPro/Lite/Killer, Buschtrommel, and y3krat.  They ALL
disable (turn off) personal/software firewalls.  It doesn't matter how good
the filtering engine is in the firewall.  It doesn't even matter if the
vendor replaced the entire Windows IP stack...  These malicious programs
simply do an end-run around the firewall by instructing the OS to turn off
the security software.

Up until the point where the software firewall gets disabled, I would argue
that both solutions had been equally "secure."  :)  After the software is
disabled, hardware seems much more attractive.

Until we can trust the OS... it doesn't seem to matter how much additional
security software we pile on.  Today, all that is required is that someone
get executable code on the machine.  There seem to be plenty of ways to get
code on a machine these days:  e-mail attachments, web pages (browser bugs),
floppy disks, network shares, p2p, server service vulnerabilities, the list
goes on and on.

> The problem is not with the software - the problem is with the
> design.

I would really like to say "my words exactly" - but they're your words.  ;)
The problem is with the design.

Jared Valentine
hidden () xmission com



-----Original Message-----
From: bmonkman () icsalabs com [mailto:bmonkman () icsalabs com]
Sent: Tuesday, October 15, 2002 9:16 AM
To: hidden () xmission com
Cc: firewall-wizards () icsalabs com
Subject: RE: [fw-wiz] Proverbial appliance vs software based firewall



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Jared Valentine [mailto:hidden () xmission com]
> Sent: Tuesday, October 15, 2002 12:27 AM
> To: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Proverbial appliance vs software based
> firewall

While I usually agree with Pescatore's opinions I do not this time.
He is making a number of presumptions that are in my opinion flawed.

<snip>

> I especially liked the quote:
>
> "Throwing more security software at a security problem that
> is caused by the
> essentially insecure nature of software is like going to a
> blind barber-it
> can only end badly and, more likely than not, bloodily."

If a vendor does not make any effort to either:

1. Acquire OS source code and modify it to secure it;

2. Take steps to modify the stack to intercept connection requests
before they reach the application layer;

3. Document steps to follow to "harden" the OS; or

4. All of the above

then I agree with this statement. But to state that throwing a
software solution at a security problem is a bad idea misses the
mark.


> While it is correct that all security comes down to "software" at
> some point, I would argue that hardware is much more secure.  The

The problem is not with the software - the problem is with the
design. As you have said, design problems are not limited to just
"software". When you get down to it - whether it is an "appliance" or
"software based" solution - both come to life as code written by a
developer.

> difference
> between the two is that the hardware manufacturer can build
> off of a trusted
> base/OS.  They can look at the OS line by line and strip out
> everything not
> essential for the operating of that firewall.

There are ways to mitigate the risk inherent with running on top of
an OS. Sun Microsystems will provide their source code (or at least
most of it), the same with most of the other *nixs out there. With
respect to Windows there are a number of methods to secure the
environment - one I am familiar with is to replace the stack with a
stack you have control over. I do tend to agree with you that using
Windows introduces a level of difficulty where using other operating
systems does not. However, there are plenty of vendors that do an
excellent job of getting it right.

> A software firewall doensn't enjoy the same operating
> environment.  It lies
> on top of an inheriently unsecure general purpose operating
> system (ie;
> Windows), and therefore is subject to all of the
> vulnerabilities of that
> operating system.

True, but I have seen a number of "appliance" products that have had
similar problems.

> In recent weeks, bugbear has made the rounds.  Bugbear was
> quite different
> than many viruses out there in that it disables software firewalls
> and antivirus software.  I'm not recommending that anyone go
> without a software
> firewall or antivirus, but your best bet defense will be
> hardware if you
> wish to ultimately rely upon that solution.  This hardware can be
> an external firewall appliance, or a PCI/PC Card firewall device
> located in the
> Server/Desktop/Laptop.
>
> With this in light, the future looks interesting with things like
> TCPA/Palladium.  What if you could actually trust the
> operating system?!

I agree that using a "trusted OS" would not be a bad idea - but it
will only address part of the problem. In my opinion when you look at
a firewall - regardless of whether it is an "appliance" or a
"software based" product you have to consider the whole system. You
need to consider what steps have been taken to address operating
system issues, how does the policy engine and the stack handle all
types of connection attempts, how does the firewall interface with
the operating system - just to name a few.

When we test a candidate firewall product we tell the vendor up front
that they are responsible for the whole product - meaning hardware,
software and underlying operating system. Our position is that a
vendors choice of operating system should not effect the security of
the product. We will test for that and we will fail a product, and we
have, that is not secure - regardless of the root cause of the
vulnerability.

Brian Monkman
Firewall Programs Manager
ICSA Labs
1000 Bent Creek Blvd., Suite 200
Mechanicsburg PA 17050
Phone:717.790.8141  Fax:717.790.8170
www.icsalabs.com
PGP Key ID: 0x7E54D5CD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPawyN6MpP5h+VNXNEQJaPwCfUNRw9cgKwtbNbsLtbdPmJat0Kp4AniTK
xlH0/S7ZMdEJ0VhiNIvvpOhN
=CCFA
-----END PGP SIGNATURE-----

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************




***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards