Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Proverbial appliance vs software based firewall

From: Anton Aylward <aja () si on ca>
Date: 15 Oct 2002 09:28:06 -0400
On Tue, 2002-10-15 at 00:26, Jared Valentine wrote:


While it is correct that all security comes down to "software" at some
point, I would argue that hardware is much more secure.  The difference
between the two is that the hardware manufacturer can build off of a trusted
base/OS.  They can look at the OS line by line and strip out everything not
essential for the operating of that firewall.


I think that you "DON'T GET" Marcus's comment.
Hardware in this sense is still software - embedded systems.
Nothing in the Gartner paper contradicts that.

Take a look at Alan Cooper's "The Inmate are running the asylum".
There is a big gulf between a my 1951 Leica and my 2001 Leica.  The
latter _is_ all done by software.  The former I can open up and see and
repair.   And so on.

No, the h/w vs s/w issue is more like this.

As an example, suppose you have a firewall between two networks of
radically differencing trust levels.  You can make the 'hardware" wiring
connections in various ways:

        Option #1: Connect both sides to the same Switch and use VLAN
                   to separate them.

        Option #2: Connect each side to a physically separate switch.

The former is relying on s/w.  The latter relies on hardware.
Yes, there are issues of "separation of duty" and all that good stuff.
But the point is that even though the switch is a piece of hardware, it
works by software.

Same argument with an ESS-7 vs an old Strowger cross-bar.

You might also check out Bruce Schneier's book "Secrets and Lies" and
see his comments on embedded security devices such as those John
Pescatore mentions.  They are not more invulnerable because they don't
have a screen and keyboard and command line.  

John Pescatore is blowing smoke.  The article is feel-good
misinformation.

/anton
-- 
Interoperability isn't an engineering issue, it's a business 
issue.  Creating the Web -- HTTP plus HTML -- was probably 
the last instance where standards of global importance were 
designed and implemented without commercial interference. 
Standards have become too important as competitive tools to 
leave them where they belong, in the hands of engineers. 
Incompatibility doesn't exist because companies can't figure 
out how to cooperate with one another. It exists because 
they don't want to cooperate with one another.  
        -- Clay Shirky, 09/15/2000
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: