The useful distinction is between firewalls that run on user configurable (and also
hacker configurable) general purpose OS's and those that run on closed boxes with very
limited user activity.
This is a spectrum rather than a Boolean range since Ben's true hardware firewall is
at on end and IPChains tends to be at the other.
The less user interaction required, the less likely the configuration can be screwed
up but also the less flexible the product is.
There are now even ALG firewalls that come in a black box configuration
(VelociRaptor by Symantec/Axent for example) so that the hardware/OS part is
pre-configured to minimise sysadmin mistakes, while firewall rules are done remotely
in a GUI management console.
This distinction is useful when one is deciding on what firewall to use because one
estimates the skill-set on the firewall managers vs. flexibility requirements and can
chose the format that best fits the enterprise. We can then develop various dimensions
to weight firewalls against our requirements and more easily find the best fit.
Some dimensions of comparison of firewalls
Use configurability <-----> black box systems
packet filtering <------> application proxies
cost
Open Source OS <------> vendor unique OS
speed
When selecting and sizing a firewall product, the above dimensions are some criteria,
but they are not independent. It is unlikely to get a application proxy that is also
fastest and lowest cost, but
we can be honest about comparisons rather than blindly sell a one-size-fits-all
solution.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, July 06, 2001 01:24
To: [EMAIL PROTECTED]
Subject: Re: Hardware or Software
I doubt that any 1005 hardware solution exists today, and I'm not
certain that such a thing, if possible, is necessarily desirable or
useful.
I think a more typical taxonomy divides the field into:
1. Hardware: Dedicated devices/appliances. Technically, this would
include both firewall boxes and firewall featuresets on dedicated
switch or router boxes.
2. Software: Driver-level and kernel-level software that adds
security to a general-purpose OS. Technically, this includes both
applications intended to turn generic hardware/OS into a dedicated
firewall box, and applications intended to run directly on a
host/client.
There are those who will object to FW-1 (on Solaris or NT...) and
ZoneAlarm both being lumped into the second category; there are those
who will object to a LinkSys router and a NetScreen box sharing the
first.
Note that there are both packet filters and proxies in the Software
category; while I know of no specific proxy products that fall into
the first category, there is no reason in principle that they could
not exist, and I suspect they do. So this does nopt exactly parallel
the packet filter vs. proxy taxonomy that is also commonly applied.
My rule of thumb: If a stranger can pick out the firewall by
looking, it's hardware. If it's not a separate box, or if it's a
generic "server" box that said stranger would need to be told was
running the firewall application, then it's software.
David Gillett
On 6 Jul 2001, at 11:59, Ben Nagy wrote:
> I think a better definition is that a "hardware based firewall" would need
> to run dedicated ASICs (or whatever) for all firewall functions.
>
> Anything that uses any kind of code that runs in read / writeable RAM is a
> software solution. And yes, that includes firewalls that boot from read-only
> media.
>
> Any other definition is sophistry. A Cisco PIX is no more "hardware" than a
> linux box running iptables.
>
> As far as I know there are no extant hardware based firewalls. None. Nil.
> Zip.
>
> Cheers,
>
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>
> > -----Original Message-----
> > From: Steven Pierce [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, July 06, 2001 11:13 AM
> > To: Zachary Uram
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: zone alarme and udp 44767
> >
> >
> >
> >
> > Zachary,
> >
> > A hardware solution is one that is like a machine. So if you
> > took a router that had a firewall built into it
> > that would be a hardware solution. Anything that is
> > physically on your desk,etc is hardware. Software is
> > anything installed on the machine, so zonealarm would
> > software. Now you can have hardware and software also.
> > If you have Linux (Any Flavor) installed on a old 486 that
> > would be both hard and soft.
> >
> > Does that help??
> >
> > Steven
> >
> > If anyone on the list would like to add to this please do, or
> > if I am off base please let me know.
> >
> > S
> >
> > *********** REPLY SEPARATOR ***********
> >
> > On 7/4/2001 at 01:12 Zachary Uram wrote:
> >
> > >eh?
> > >what is a 'hardware solution'?
> [...]
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
