RE: [fw-wiz] Proverbial appliance vs software based firewall

• Previous message: Patrick Darden: "Re: [fw-wiz] Hunt for VPN devices"
• In reply to: Jared Valentine: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
• Next in thread: Gary Flynn: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Reply: Gary Flynn: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2002-10-15 at 00:26, Jared Valentine wrote:
> 
> While it is correct that all security comes down to "software" at some
> point, I would argue that hardware is much more secure.  The difference
> between the two is that the hardware manufacturer can build off of a trusted
> base/OS.  They can look at the OS line by line and strip out everything not
> essential for the operating of that firewall.

I think that you "DON'T GET" Marcus's comment.
Hardware in this sense is still software - embedded systems.
Nothing in the Gartner paper contradicts that.

Take a look at Alan Cooper's "The Inmate are running the asylum".
There is a big gulf between a my 1951 Leica and my 2001 Leica.  The
latter _is_ all done by software.  The former I can open up and see and
repair.   And so on.

No, the h/w vs s/w issue is more like this.

As an example, suppose you have a firewall between two networks of
radically differencing trust levels.  You can make the 'hardware" wiring
connections in various ways:

	Option #1: Connect both sides to the same Switch and use VLAN
                   to separate them.

        Option #2: Connect each side to a physically separate switch.

The former is relying on s/w.  The latter relies on hardware.
Yes, there are issues of "separation of duty" and all that good stuff.
But the point is that even though the switch is a piece of hardware, it
works by software.

Same argument with an ESS-7 vs an old Strowger cross-bar.

You might also check out Bruce Schneier's book "Secrets and Lies" and
see his comments on embedded security devices such as those John
Pescatore mentions.  They are not more invulnerable because they don't
have a screen and keyboard and command line.  

John Pescatore is blowing smoke.  The article is feel-good
misinformation.

/anton
-- 
Interoperability isn't an engineering issue, it's a business 
issue.  Creating the Web -- HTTP plus HTML -- was probably 
the last instance where standards of global importance were 
designed and implemented without commercial interference. 
Standards have become too important as competitive tools to 
leave them where they belong, in the hands of engineers. 
Incompatibility doesn't exist because companies can't figure 
out how to cooperate with one another. It exists because 
they don't want to cooperate with one another.  
	-- Clay Shirky, 09/15/2000
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Mikael Olsson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Previous message: Patrick Darden: "Re: [fw-wiz] Hunt for VPN devices"
• In reply to: Jared Valentine: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
• Next in thread: Gary Flynn: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Reply: Gary Flynn: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 09:03:10 PDT