The hardware/software distinction is hardly there any more I think. Even
so-called hardware devices are running code internally.
Sticking to the security side of the issue though, if you can change the
code or configuration from the running system, I'd call it software. (And
changeable includes corrupting files on a hard disk in a power failure).
If the code and configuration are both unchangeable from the running system,
I'd call it hardware.
So according to my theory, a hardware firewall would have it's code and
configuration in ROM of some description, and you'd have to change the ROM
to add a firewall rule. So the only chance we'll ever see one I think is if
AI technology ever gets to a useful stage and you'd have an AI engine that
works out for itself what traffic it should allow/deny.
But, the more of a system that is read-only the better. Both for security
and reliability.
Darryl Luff
[EMAIL PROTECTED]
> -----Original Message-----
> From: Ben Nagy [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, July 06, 2001 1:40 PM
> To: 'acs'; 'Steven Pierce'
> Cc: [EMAIL PROTECTED]
> Subject: RE: Hardware or Software
>
> Well, ignoring the ASIC confusion question - does it run any code in RAM?
>
> I'm more than happy to eat my words about there being no hardware
> firewalls
> if it doesn't...
>
> To elaborate on my (personal) definition of a hardware firewall, a CPU is
> hardware. You feed an instruction and some registers in, you get, stuff
> out. It's provable, and it's burnt in. The only way to modify its
> behaviour
> is to get another a CPU with a different chip rev. A hardware firewall
> would
> be like that - there are ASICs on the NIC, there's a bus, and then there's
> some chip that takes the packet as an input and it either gets through or
> it
> doesn't.
>
> This is not to say that hardware is foolproof - the Intel hlt instruction
> is
> an obvious counter-example. In fact, I really doubt whether a hardware
> firewall would be practical at all - but I think that using the perception
> of "hardware == secure" to sell software-based firewalls is evil and
> wrong.
>
> Cheers,
>
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>
> > -----Original Message-----
> > From: acs [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, July 06, 2001 12:44 PM
> > To: Ben Nagy; 'Steven Pierce'
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Hardware or Software
> >
> >
> > So is netscreen a firewall? I would call it a packet
> > filter/vpn.
> > It uses custom ASICS..
> >
> > acs
> >
> >
> > --- Ben Nagy <[EMAIL PROTECTED]> wrote:
> > > I think a better definition is that a "hardware
> > > based firewall" would need
> > > to run dedicated ASICs (or whatever) for all
> > > firewall functions.
> > >
> > > Anything that uses any kind of code that runs in
> > > read / writeable RAM is a
> > > software solution. And yes, that includes firewalls
> > > that boot from read-only
> > > media.
> > >
> > > Any other definition is sophistry. A Cisco PIX is no
> > > more "hardware" than a
> > > linux box running iptables.
> > >
> > > As far as I know there are no extant hardware based
> > > firewalls. None. Nil.
> > > Zip.
> > >
> > > Cheers,
> > >
> > > --
> > > Ben Nagy
> > > Network Security Specialist
> > > Marconi Services Australia Pty Ltd
> > > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> > >
> > > > -----Original Message-----
> > > > From: Steven Pierce
> > > [mailto:[EMAIL PROTECTED]]
> > > > Sent: Friday, July 06, 2001 11:13 AM
> > > > To: Zachary Uram
> > > > Cc: [EMAIL PROTECTED]
> > > > Subject: Re: zone alarme and udp 44767
> > > >
> > > >
> > > >
> > > >
> > > > Zachary,
> > > >
> > > > A hardware solution is one that is like a machine.
> > > So if you
> > > > took a router that had a firewall built into it
> > > > that would be a hardware solution. Anything that
> > > is
> > > > physically on your desk,etc is hardware. Software
> > > is
> > > > anything installed on the machine, so zonealarm
> > > would
> > > > software. Now you can have hardware and software
> > > also.
> > > > If you have Linux (Any Flavor) installed on a old
> > > 486 that
> > > > would be both hard and soft.
> > > >
> > > > Does that help??
> > > >
> > > > Steven
> > > >
> > > > If anyone on the list would like to add to this
> > > please do, or
> > > > if I am off base please let me know.
> > > >
> > > > S
> > > >
> > > > *********** REPLY SEPARATOR ***********
> > > >
> > > > On 7/4/2001 at 01:12 Zachary Uram wrote:
> > > >
> > > > >eh?
> > > > >what is a 'hardware solution'?
> > > [...]
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail
> > http://personal.mail.yahoo.com/
> >
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
