Firewall Wizards mailing list archives
RE: Proverbial appliance vs software based firewall
From: bmonkman () icsalabs com
Date: Tue, 15 Oct 2002 11:16:21 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Jared Valentine [mailto:hidden () xmission com] Sent: Tuesday, October 15, 2002 12:27 AM To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Proverbial appliance vs software based firewall
While I usually agree with Pescatore's opinions I do not this time. He is making a number of presumptions that are in my opinion flawed. <snip>
I especially liked the quote: "Throwing more security software at a security problem that is caused by the essentially insecure nature of software is like going to a blind barber-it can only end badly and, more likely than not, bloodily."
If a vendor does not make any effort to either: 1. Acquire OS source code and modify it to secure it; 2. Take steps to modify the stack to intercept connection requests before they reach the application layer; 3. Document steps to follow to "harden" the OS; or 4. All of the above then I agree with this statement. But to state that throwing a software solution at a security problem is a bad idea misses the mark.
While it is correct that all security comes down to "software" at some point, I would argue that hardware is much more secure. The
The problem is not with the software - the problem is with the design. As you have said, design problems are not limited to just "software". When you get down to it - whether it is an "appliance" or "software based" solution - both come to life as code written by a developer.
difference between the two is that the hardware manufacturer can build off of a trusted base/OS. They can look at the OS line by line and strip out everything not essential for the operating of that firewall.
There are ways to mitigate the risk inherent with running on top of an OS. Sun Microsystems will provide their source code (or at least most of it), the same with most of the other *nixs out there. With respect to Windows there are a number of methods to secure the environment - one I am familiar with is to replace the stack with a stack you have control over. I do tend to agree with you that using Windows introduces a level of difficulty where using other operating systems does not. However, there are plenty of vendors that do an excellent job of getting it right.
A software firewall doensn't enjoy the same operating environment. It lies on top of an inheriently unsecure general purpose operating system (ie; Windows), and therefore is subject to all of the vulnerabilities of that operating system.
True, but I have seen a number of "appliance" products that have had similar problems.
In recent weeks, bugbear has made the rounds. Bugbear was quite different than many viruses out there in that it disables software firewalls and antivirus software. I'm not recommending that anyone go without a software firewall or antivirus, but your best bet defense will be hardware if you wish to ultimately rely upon that solution. This hardware can be an external firewall appliance, or a PCI/PC Card firewall device located in the Server/Desktop/Laptop. With this in light, the future looks interesting with things like TCPA/Palladium. What if you could actually trust the operating system?!
I agree that using a "trusted OS" would not be a bad idea - but it will only address part of the problem. In my opinion when you look at a firewall - regardless of whether it is an "appliance" or a "software based" product you have to consider the whole system. You need to consider what steps have been taken to address operating system issues, how does the policy engine and the stack handle all types of connection attempts, how does the firewall interface with the operating system - just to name a few. When we test a candidate firewall product we tell the vendor up front that they are responsible for the whole product - meaning hardware, software and underlying operating system. Our position is that a vendors choice of operating system should not effect the security of the product. We will test for that and we will fail a product, and we have, that is not secure - regardless of the root cause of the vulnerability. Brian Monkman Firewall Programs Manager ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg PA 17050 Phone:717.790.8141 Fax:717.790.8170 www.icsalabs.com PGP Key ID: 0x7E54D5CD -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPawyN6MpP5h+VNXNEQJaPwCfUNRw9cgKwtbNbsLtbdPmJat0Kp4AniTK xlH0/S7ZMdEJ0VhiNIvvpOhN =CCFA -----END PGP SIGNATURE----- *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proverbial appliance vs software based firewall, (continued)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 28)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 28)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) Mikael Olsson (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) David Lang (Oct 30)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 16)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 16)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 16)