RE: Hardware or Software

acs Thu, 05 Jul 2001 20:31:37 -0700
No eating of words required.  Yes, if it can be
reconfigured without changing a chip then there is
software and it is not a pure hardware packet filter
(which the netscreen is not).  It has no HD and is
close enough for me (for packet filtering).  The
interesting question is when will  full featured
application layer firewalls be running on "hardware"
like this.

acs


--- Ben Nagy <[EMAIL PROTECTED]> wrote:
> Well, ignoring the ASIC confusion question - does it
> run any code in RAM?
> 
> I'm more than happy to eat my words about there
> being no hardware firewalls
> if it doesn't...
> 
> To elaborate on my (personal) definition of a
> hardware firewall, a CPU is
> hardware. You feed an instruction  and some
> registers in, you get, stuff
> out. It's provable, and it's burnt in. The only way
> to modify its behaviour
> is to get another a CPU with a different chip rev. A
> hardware firewall would
> be like that - there are ASICs on the NIC, there's a
> bus, and then there's
> some chip that takes the packet as an input and it
> either gets through or it
> doesn't.
> 
> This is not to say that hardware is foolproof - the
> Intel hlt instruction is
> an obvious counter-example. In fact, I really doubt
> whether a hardware
> firewall would be practical at all - but I think
> that using the perception
> of "hardware == secure" to sell software-based
> firewalls is evil and wrong.
> 
> Cheers,
> 
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520  PGP Key ID: 0x1A86E304 
> 
> > -----Original Message-----
> > From: acs [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, July 06, 2001 12:44 PM
> > To: Ben Nagy; 'Steven Pierce'
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Hardware or Software
> > 
> > 
> > So is netscreen a firewall?  I would call it a
> packet
> > filter/vpn.
> > It uses custom ASICS..
> > 
> > acs
> > 
> > 
> > --- Ben Nagy <[EMAIL PROTECTED]> wrote:
> > > I think a better definition is that a "hardware
> > > based firewall" would need
> > > to run dedicated ASICs (or whatever) for all
> > > firewall functions.
> > > 
> > > Anything that uses any kind of code that runs in
> > > read / writeable RAM is a
> > > software solution. And yes, that includes
> firewalls
> > > that boot from read-only
> > > media.
> > > 
> > > Any other definition is sophistry. A Cisco PIX
> is no
> > > more "hardware" than a
> > > linux box running iptables.
> > > 
> > > As far as I know there are no extant hardware
> based
> > > firewalls. None. Nil.
> > > Zip.
> > > 
> > > Cheers,
> > > 
> > > --
> > > Ben Nagy
> > > Network Security Specialist
> > > Marconi Services Australia Pty Ltd
> > > Mb: +61 414 411 520  PGP Key ID: 0x1A86E304 
> > > 
> > > > -----Original Message-----
> > > > From: Steven Pierce
> > > [mailto:[EMAIL PROTECTED]]
> > > > Sent: Friday, July 06, 2001 11:13 AM
> > > > To: Zachary Uram
> > > > Cc: [EMAIL PROTECTED]
> > > > Subject: Re: zone alarme and udp 44767
> > > > 
> > > > 
> > > > 
> > > > 
> > > > Zachary,
> > > > 
> > > > A hardware solution is one that is like a
> machine.
> > >  So if you 
> > > > took a router that had a firewall built into
> it
> > > > that would be a hardware solution.  Anything
> that
> > > is 
> > > > physically on your desk,etc is hardware. 
> Software
> > > is
> > > > anything installed on the machine, so
> zonealarm
> > > would 
> > > > software.  Now you can have hardware and
> software
> > > also.
> > > > If you have Linux (Any Flavor) installed on a
> old
> > > 486 that 
> > > > would be both hard and soft.  
> > > > 
> > > > Does that help??
> > > > 
> > > > Steven
> > > > 
> > > > If anyone on the list would like to add to
> this
> > > please do, or 
> > > > if I am off base please let me know.
> > > > 
> > > > S
> > > > 
> > > > *********** REPLY SEPARATOR  ***********
> > > > 
> > > > On 7/4/2001 at 01:12 Zachary Uram wrote:
> > > > 
> > > > >eh?
> > > > >what is a 'hardware solution'?
> > > [...]
> > > 
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail
> > http://personal.mail.yahoo.com/
> > 


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
RE: Hardware or Software

Reply via email to
