Re: Proverbial appliance vs software based firewall

[Bennett Todd <bet () rahul net>]

Re "appliance" -vs- "software", I think it's very important to
straighten out what distinction you mean. As others have said on
this thread, there are at least two different classifications that
some people mean --- neither of which is well-described by the above
labels:-).

Some folks, with an engineering point of view, are talking about
the implementation technology in use --- there's the custom ASICs
and embedded OS crowd versus the general-purpose OS on commodity
hardware distinction. That one settles pretty simply. Custom
harware/embedded OS firewalls are elaborated packet filters; this
means that they're:

        - often faster;
        - generally less flexible in adapting to new protocols _if_
          protocol-specific analysis is required;
        - generally easier to configure for new protocols if it's
          not;
        - generally less secure in doing correct high-level analysis
          of complex protocols.

and the complement of the above generalizations would then apply to
the general-purpose-OS/commodity-hardware firewall plants ---
although, sadly, some people fielding such firewalls are just doing
packet filtering, and failing to take advantage of the bastion to
run really good application-specific proxies.

Then there's the other half, and this is more the market viewpoint,
the manager's picture of things. From this point of view, the
appliances may or may not be PCs running Linux under the hood, but
they're sold pre-configured, with limited customization flexibility,
and the vendor provides support for the resulting gizmo as a
_firewall_. This appeals in shops where you don't have the in-house
expertise to do a good job of building a firewall from scratch.

In my own practice of firewall-building, anywhere I work, there's
the in-house expertise to build a firewall from scratch. So I tend
to advocate homebuilt bastions. Big firewall plants are
multi-layered beasties, with different technologies in different
layers; typically an outer layer --- perhaps only outside, perhaps
on the outermost and innermost faces --- is doing packet filtering,
an intermediate layer is pure application proxy bastions, and
suitably placed here and there you have various sorts of
service-providing servers. For these I tend to favour
carefully-configured "appliances" for the packet filtering, just
because it's a low-intelligence part of firewalling, where idiot
appliances can compete effectively, and this is an easy way to get
some substantial diversity all through your plant. If someone
presents a firewall plant that's all one technology --- e.g. the
same OS, or the same vendor appliance --- in all its layers, then
reject it unless the setting is low sensitivity.

-Bennett

Attachment: _bin
Description: