Jared Valentine wrote: > > the hardware manufacturer can build off of a trusted > base/OS. They can look at the OS line by line and strip out everything not > essential for the operating of that firewall. > > A software firewall doensn't enjoy the same operating environment. It lies > on top of an inheriently unsecure general purpose operating system (ie; > Windows), and therefore is subject to all of the vulnerabilities of that > operating system. I was saying to myself that I should stay out of this discussion; anything I say here can likely be construed as a vendor plug, but, bah, Paul will hopefully just drop this post if it's too bad. If not, you are of course free to just ignore it. [1] We sell our firewall as a software package as well as pre-installed on appliance boxes. (Hopefully this carries some weight; I don't care if people only want appliances. I'm equally happy either way.) I argue that both are equally secure. The fact of the matter is that both run on the same "os": no os. The firewall is its own operating system. Both want to be installed on clean media. Tell me how the appliance is more secure? Sure, the average Joe is probably happier with the appliance, since he doesn't have to go out and find hardware that agrees with having heaps of NICs, we do that for him, but how is the appliance more _secure_? I'm thinking that the topic should be: "are firewalls that you need to install on a default install of Solaris/Linux/Windows better than firewalls that are shipped with a hardened OS (installation)?" ... or maybe "vendor hardened vs default install" rather than "appliance vs software". (But here's where it really starts to smell an awful lot like a vendor plug[2], so I'll just end right here.) /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" [1] These kind of postings were more fun back when I didn't have to think about things like this :/ [2] Luckily, there are a few other security product vendors[3] that ship CDs that do their own OS installs and so forth, so hopefully the stench isn't too ripe. [3] FW-1 on Linux and the NFR CD come to mind. I'm sure there are others. _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 09:08:16 PDT