Re "appliance" -vs- "software", I think it's very important to straighten out what distinction you mean. As others have said on this thread, there are at least two different classifications that some people mean --- neither of which is well-described by the above labels:-). Some folks, with an engineering point of view, are talking about the implementation technology in use --- there's the custom ASICs and embedded OS crowd versus the general-purpose OS on commodity hardware distinction. That one settles pretty simply. Custom harware/embedded OS firewalls are elaborated packet filters; this means that they're: - often faster; - generally less flexible in adapting to new protocols _if_ protocol-specific analysis is required; - generally easier to configure for new protocols if it's not; - generally less secure in doing correct high-level analysis of complex protocols. and the complement of the above generalizations would then apply to the general-purpose-OS/commodity-hardware firewall plants --- although, sadly, some people fielding such firewalls are just doing packet filtering, and failing to take advantage of the bastion to run really good application-specific proxies. Then there's the other half, and this is more the market viewpoint, the manager's picture of things. From this point of view, the appliances may or may not be PCs running Linux under the hood, but they're sold pre-configured, with limited customization flexibility, and the vendor provides support for the resulting gizmo as a _firewall_. This appeals in shops where you don't have the in-house expertise to do a good job of building a firewall from scratch. In my own practice of firewall-building, anywhere I work, there's the in-house expertise to build a firewall from scratch. So I tend to advocate homebuilt bastions. Big firewall plants are multi-layered beasties, with different technologies in different layers; typically an outer layer --- perhaps only outside, perhaps on the outermost and innermost faces --- is doing packet filtering, an intermediate layer is pure application proxy bastions, and suitably placed here and there you have various sorts of service-providing servers. For these I tend to favour carefully-configured "appliances" for the packet filtering, just because it's a low-intelligence part of firewalling, where idiot appliances can compete effectively, and this is an easy way to get some substantial diversity all through your plant. If someone presents a firewall plant that's all one technology --- e.g. the same OS, or the same vendor appliance --- in all its layers, then reject it unless the setting is low sensitivity. -Bennett
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 14:20:22 PDT