Re: [fw-wiz] Proverbial appliance vs software based firewall

• Previous message: Anton Aylward: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
• In reply to: Jared Valentine: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
• Next in thread: Philip J. Koenig: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jared Valentine wrote:
> 
> the hardware manufacturer can build off of a trusted
> base/OS.  They can look at the OS line by line and strip out everything not
> essential for the operating of that firewall.
> 
> A software firewall doensn't enjoy the same operating environment.  It lies
> on top of an inheriently unsecure general purpose operating system (ie;
> Windows), and therefore is subject to all of the vulnerabilities of that
> operating system.


I was saying to myself that I should stay out of this discussion;
anything I say here can likely be construed as a vendor plug, but, 
bah, Paul will hopefully just drop this post if it's too bad. 
If not, you are of course free to just ignore it. [1]

We sell our firewall as a software package as well as pre-installed
on appliance boxes.  (Hopefully this carries some weight; I don't care 
if people only want appliances. I'm equally happy either way.)

I argue that both are equally secure.

The fact of the matter is that both run on the same "os": no os.
The firewall is its own operating system.  Both want to be installed
on clean media.

Tell me how the appliance is more secure?

Sure, the average Joe is probably happier with the appliance, since he 
doesn't have to go out and find hardware that agrees with having heaps of 
NICs, we do that for him, but how is the appliance more _secure_?


I'm thinking that the topic should be: "are firewalls that you need to 
install on a default install of Solaris/Linux/Windows better than
firewalls that are shipped with a hardened OS (installation)?"
... or maybe "vendor hardened vs default install" 
rather than "appliance vs software". 
(But here's where it really starts to smell an awful lot like a vendor 
 plug[2], so I'll just end right here.)

/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"

[1] These kind of postings were more fun back when I didn't have to
    think about things like this :/

[2] Luckily, there are a few other security product vendors[3] that ship 
    CDs that do their own OS installs and so forth, so hopefully the 
    stench isn't too ripe.

[3] FW-1 on Linux and the NFR CD come to mind. I'm sure there are others.
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Vincent Haverlant: "Re: [fw-wiz] Help w/ Port 137 Traffic"
• Previous message: Anton Aylward: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
• In reply to: Jared Valentine: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
• Next in thread: Philip J. Koenig: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 09:08:16 PDT