Firewall Wizards mailing list archives
Re: Proverbial appliance vs software based firewall
From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 16 Oct 2002 09:08:59 -0400 (EDT)
On Wed, 16 Oct 2002, Christopher Hicks wrote:
death importance, so I personally don't think the 'appliance' label applies to any firewall or security product in existance.
That battle has been lost...
What is not meaningless to security and function is kernel size,The size of the code of the whole firewall is important. People can easily make a tiny kernel (ding, a microkernel) and push all of the functionality out into modules. So, realistically you have to look at the entire code size to determine if they've made it adequately simple. Somebody should do a study of how simpler firewalls are less likely to break, but the vendors would be reticent to admit to their code size and it'd be hard to verify their answers if they were 'willing'.
Then again, another study of how folks who rewrite their own implementations tend to recreate "solved" problems would be about as interesting. While writing an OS that's designed to host the firewall from the ground up isn't necessarily a bad thing, threading, memory management, frag handling, packet ordering, NIC drivers, sequence number handling and all the other stuff that needs doing is easy to make mistakes in. If you need to suddenly process a bunch more users because of say, an acquisition- you can't just move the software on an appliance to a larger box (granted, most IP things scale better horizontally than vertically, but some things tend to have to have vertical scale points if they're rushed into.) If you're doing proxies, and you want to add a new "cool" thing that's totally necessary to the business' moving forward, you're not going to be able to do that on a non-general purpose OS very easily. That doesn't mean "appliance" firewalls aren't really useful, but it does mean that like everything else, there are trade-offs and that's why I still think firewall selection is something that requires not limiting ones self to any particular catetory (appliance, non-appliance, SOHO, personal...) without significant analysis. As Mikael pointed out, the appliance code doesn't have to necessarily run on an appliance too, so the distinction may be arbitrary in some circumstances. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proverbial appliance "Its software, Jim!", (continued)
- Re: Proverbial appliance "Its software, Jim!" Stephen D. B. Wolthusen (Oct 17)
- Re: Proverbial appliance "Its software, Jim!" Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 15)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 15)
- Re: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Ryan M. Ferris (Oct 15)
- Re: Proverbial appliance vs software based firewall Volker Tanger (Oct 16)
- Re: Proverbial appliance vs software based firewall Christopher Hicks (Oct 16)
- Re: Proverbial appliance vs software based firewall Paul D. Robertson (Oct 16)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)