Firewall Wizards mailing list archives
Re: Proverbial appliance vs software based firewall
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 15 Oct 2002 16:25:53 +0200
Jared Valentine wrote:
the hardware manufacturer can build off of a trusted base/OS. They can look at the OS line by line and strip out everything not essential for the operating of that firewall. A software firewall doensn't enjoy the same operating environment. It lies on top of an inheriently unsecure general purpose operating system (ie; Windows), and therefore is subject to all of the vulnerabilities of that operating system.
I was saying to myself that I should stay out of this discussion; anything I say here can likely be construed as a vendor plug, but, bah, Paul will hopefully just drop this post if it's too bad. If not, you are of course free to just ignore it. [1] We sell our firewall as a software package as well as pre-installed on appliance boxes. (Hopefully this carries some weight; I don't care if people only want appliances. I'm equally happy either way.) I argue that both are equally secure. The fact of the matter is that both run on the same "os": no os. The firewall is its own operating system. Both want to be installed on clean media. Tell me how the appliance is more secure? Sure, the average Joe is probably happier with the appliance, since he doesn't have to go out and find hardware that agrees with having heaps of NICs, we do that for him, but how is the appliance more _secure_? I'm thinking that the topic should be: "are firewalls that you need to install on a default install of Solaris/Linux/Windows better than firewalls that are shipped with a hardened OS (installation)?" ... or maybe "vendor hardened vs default install" rather than "appliance vs software". (But here's where it really starts to smell an awful lot like a vendor plug[2], so I'll just end right here.) /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" [1] These kind of postings were more fun back when I didn't have to think about things like this :/ [2] Luckily, there are a few other security product vendors[3] that ship CDs that do their own OS installs and so forth, so hopefully the stench isn't too ripe. [3] FW-1 on Linux and the NFR CD come to mind. I'm sure there are others. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Proverbial appliance vs software based firewall, (continued)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 15)
- Re: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Ryan M. Ferris (Oct 15)
- Re: Proverbial appliance vs software based firewall Volker Tanger (Oct 16)
- Re: Proverbial appliance vs software based firewall Christopher Hicks (Oct 16)
- Re: Proverbial appliance vs software based firewall Paul D. Robertson (Oct 16)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- RE: Proverbial appliance vs software based firewall Anton Aylward (Oct 15)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)