Firewall Wizards mailing list archives
RE: Proverbial appliance vs software based firewall
From: "Jared Valentine" <hidden () xmission com>
Date: Wed, 16 Oct 2002 00:35:16 -0600
The real question then: What did Dominic really mean by "software" firewall. I assumed the question was around "host-based personal firewalls" (BlackICE, ZoneAlarm, Tiny, etc.) as opposed to a "perimeter firewall" (Raptor, Sidewinder, Sonicwall, Netscreen, etc.) I agree wholeheartedly with your comments as they relate to perimeter firewalls. I would surely hope that my perimeter firewall vendor replaces/modifies the TCP/IP stack, limits the box to firewall-only tasks, chooses a good base OS, hardens that OS, checks the source code, etc. etc. Hardware/software... the security you get from that device probably won't vary much between the two. It's all software. You might get better performance out of hardware - but everyone has argued that the relative security of either solution is comparable. If we take the same question and look at it in the light of "host-based personal firewalls", then I would tend to argue in favor of hardware.
I agree that using a "trusted OS" would not be a bad idea - but it will only address part of the problem. In my opinion when you look at a firewall - regardless of whether it is an "appliance" or a "software based" product you have to consider the whole system. You need to consider what steps have been taken to address operating system issues, how does the policy engine and the stack handle all types of connection attempts, how does the firewall interface with the operating system - just to name a few.
I'll pick on the Windows world, although these comments potentially apply for any operating system that has a personal firewall. The problem with the "whole system" in a host-based firewall world is the untrusted base OS - Windows. I return to viruses like Bugbear and Pentagoner, as well as trojan horses like OptixPro/Lite/Killer, Buschtrommel, and y3krat. They ALL disable (turn off) personal/software firewalls. It doesn't matter how good the filtering engine is in the firewall. It doesn't even matter if the vendor replaced the entire Windows IP stack... These malicious programs simply do an end-run around the firewall by instructing the OS to turn off the security software. Up until the point where the software firewall gets disabled, I would argue that both solutions had been equally "secure." :) After the software is disabled, hardware seems much more attractive. Until we can trust the OS... it doesn't seem to matter how much additional security software we pile on. Today, all that is required is that someone get executable code on the machine. There seem to be plenty of ways to get code on a machine these days: e-mail attachments, web pages (browser bugs), floppy disks, network shares, p2p, server service vulnerabilities, the list goes on and on.
The problem is not with the software - the problem is with the design.
I would really like to say "my words exactly" - but they're your words. ;) The problem is with the design. Jared Valentine hidden () xmission com -----Original Message----- From: bmonkman () icsalabs com [mailto:bmonkman () icsalabs com] Sent: Tuesday, October 15, 2002 9:16 AM To: hidden () xmission com Cc: firewall-wizards () icsalabs com Subject: RE: [fw-wiz] Proverbial appliance vs software based firewall -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Jared Valentine [mailto:hidden () xmission com] Sent: Tuesday, October 15, 2002 12:27 AM To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Proverbial appliance vs software based firewall
While I usually agree with Pescatore's opinions I do not this time. He is making a number of presumptions that are in my opinion flawed. <snip>
I especially liked the quote: "Throwing more security software at a security problem that is caused by the essentially insecure nature of software is like going to a blind barber-it can only end badly and, more likely than not, bloodily."
If a vendor does not make any effort to either: 1. Acquire OS source code and modify it to secure it; 2. Take steps to modify the stack to intercept connection requests before they reach the application layer; 3. Document steps to follow to "harden" the OS; or 4. All of the above then I agree with this statement. But to state that throwing a software solution at a security problem is a bad idea misses the mark.
While it is correct that all security comes down to "software" at some point, I would argue that hardware is much more secure. The
The problem is not with the software - the problem is with the design. As you have said, design problems are not limited to just "software". When you get down to it - whether it is an "appliance" or "software based" solution - both come to life as code written by a developer.
difference between the two is that the hardware manufacturer can build off of a trusted base/OS. They can look at the OS line by line and strip out everything not essential for the operating of that firewall.
There are ways to mitigate the risk inherent with running on top of an OS. Sun Microsystems will provide their source code (or at least most of it), the same with most of the other *nixs out there. With respect to Windows there are a number of methods to secure the environment - one I am familiar with is to replace the stack with a stack you have control over. I do tend to agree with you that using Windows introduces a level of difficulty where using other operating systems does not. However, there are plenty of vendors that do an excellent job of getting it right.
A software firewall doensn't enjoy the same operating environment. It lies on top of an inheriently unsecure general purpose operating system (ie; Windows), and therefore is subject to all of the vulnerabilities of that operating system.
True, but I have seen a number of "appliance" products that have had similar problems.
In recent weeks, bugbear has made the rounds. Bugbear was quite different than many viruses out there in that it disables software firewalls and antivirus software. I'm not recommending that anyone go without a software firewall or antivirus, but your best bet defense will be hardware if you wish to ultimately rely upon that solution. This hardware can be an external firewall appliance, or a PCI/PC Card firewall device located in the Server/Desktop/Laptop. With this in light, the future looks interesting with things like TCPA/Palladium. What if you could actually trust the operating system?!
I agree that using a "trusted OS" would not be a bad idea - but it will only address part of the problem. In my opinion when you look at a firewall - regardless of whether it is an "appliance" or a "software based" product you have to consider the whole system. You need to consider what steps have been taken to address operating system issues, how does the policy engine and the stack handle all types of connection attempts, how does the firewall interface with the operating system - just to name a few. When we test a candidate firewall product we tell the vendor up front that they are responsible for the whole product - meaning hardware, software and underlying operating system. Our position is that a vendors choice of operating system should not effect the security of the product. We will test for that and we will fail a product, and we have, that is not secure - regardless of the root cause of the vulnerability. Brian Monkman Firewall Programs Manager ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg PA 17050 Phone:717.790.8141 Fax:717.790.8170 www.icsalabs.com PGP Key ID: 0x7E54D5CD -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPawyN6MpP5h+VNXNEQJaPwCfUNRw9cgKwtbNbsLtbdPmJat0Kp4AniTK xlH0/S7ZMdEJ0VhiNIvvpOhN =CCFA -----END PGP SIGNATURE----- *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Proverbial appliance vs. software based firewall, (continued)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 28)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 28)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) Mikael Olsson (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) David Lang (Oct 30)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 16)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 16)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 16)