Security Basics mailing list archives
RE: Firewall/Router: Dedicated Server or Appliance?
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Wed, 2 Nov 2005 14:14:03 -0700 (MST)
David Gillett wrote:
Collective wisdom is that one should run as little extraneous code as possible on a firewall, not least because flaws in that additional code may enable bypass of the firewall functionality.
You know, prior to Cisco getting egg on its face recently for a slew of different security issues/exploits, that might have been dogma in some quarters. But. Hardening can usually be done regardless of what software lays underneath. Some software platforms are just simpler to begin with, which is where this philosophy comes from. Problem is, many of the libraries used to build the software, not to mention some security implementations, have opened up holes that surprised lots of us out here in Industry. Much of the security really depends on what services/features you're after. If you only allow desktops to go out and no inbound traffic, darn near anything can do the job...if it's SPI capable. If you want to protect webservers, application servers, etc, that opens up some holes, regardless of firewall implemented. Then, you have the application layer...do you want a firewall that can protect on that level, too? But, there is some logic to your point. A simpler, more fine tuned tool is theoretically more secure because there's less to tighten down. Does it always work out that way? Not really. But it's not a terrible rule of thumb...just over simplified. IMO. Sincerely, Bryan S. Sampsel LibertyActivist.org
Current thread:
- Firewall/Router: Dedicated Server or Appliance? Nuno Marques (Nov 01)
- Re: Firewall/Router: Dedicated Server or Appliance? Fred Cohen (Nov 02)
- Re: Firewall/Router: Dedicated Server or Appliance? André Gil (Nov 02)
- Re: Firewall/Router: Dedicated Server or Appliance? Ivan . (Nov 02)
- Re: Firewall/Router: Dedicated Server or Appliance? Bryan S. Sampsel (Nov 02)
- <Possible follow-ups>
- Re: Firewall/Router: Dedicated Server or Appliance? anonymous (Nov 02)
- RE: Firewall/Router: Dedicated Server or Appliance? David Gillett (Nov 02)
- RE: Firewall/Router: Dedicated Server or Appliance? Bryan S. Sampsel (Nov 03)
- RE: Firewall/Router: Dedicated Server or Appliance? David Gillett (Nov 04)
- RE: Firewall/Router: Dedicated Server or Appliance? Bryan S. Sampsel (Nov 04)
- RE: Firewall/Router: Dedicated Server or Appliance? David Gillett (Nov 02)