On Fri, 21 Jan 2000, Frank Heinzius wrote:
> We prefer dedicated appliances in contrary to firewalls based on general
> purpose OS for the following reasons:
>
> - more stability
I've had general purpose OS-based firewalls with 7-800 days of uptime
before dropping them to put in a new NIC which was followed by another
couple years of uptime- I've also heard horror stories of early appliance
implementations dropping every few weeks, care to quantify "more
stabiltiy?"
> - more security
I've yet to see a packet filter that allows blocking of, for instance
hostile ActiveX controls, could you also please quantify "more security?"
>- higher performance
In my experience, you get performance, or security - not both.
>- ease of use
The trend toward "easy" firewalls without the appropriate policies
is what makes most firewalls useful only against simple attacks. The
problem with "even an idiot could install it" is that the uninformed
*will* install them. Then they'll put Web servers on the internal
network, open half a gazillion ports for streaming
media/Netmeeting/whatever comes next and *think* they're "protected by the
firewall."
> > Is Hardware FW more easy to use?
>
> In this case, yes. Just bring in the box, attach cables. You generate a
> boot disk for the first-time install. After that, the box gets it�s
> configuration over a secure channel from the SMS. If you change units,
> just put in the disk, so it takes 3 minutes to set it up in case of
> failure or location moves.
The same could be said of any non-hardware firewall where the OS and
firewall code is pre-installed. Most modern systems have configuraions
that fit on a single floppy. Granted if your OS isn't pre-installed or
requires a lot of patches, it takes longer, but if you want serious swap,
the new Sun 1U high rackmount Netras have swappable ID chips and you can
dd the disk off to an identical unit and use any proxy based firewall,
packet filtering firewall or hybrid firewall you'd like. The Sun
Netra units are also rated for earthquakes- for some that may be
important if they're expecting to use log files for evidence and live in
geologically unstable areas. Flash is still very expensive compared to
disk, and I haven't seen any of the appliance manufactures address local
logging without using a hard drive.
> > What's the current market situatuion? Is Hardware FW the trend of the FW?
>
> Of course there is a trend. But it�s not easy to generalize. Take Nokia:
> there hardware-solution is based on a reliable stripped-down PC with a
> stripped-down Unix and Checkpoint Firewall-1 on them. They are known to
> be quite stable and much more easier to set up than a Solaris machine
> (where you have to install OS, install a bunch of patches, harden the OS,
> install additional security tools and then install FW-1).
Actually, it's pretty easy to set up Solaris to self-patch and self-harden
at install time. We've got it down to 2 prompts, and one of those is "Do
you want to install Solaris?" IMO, if you're not capable of that, you
should demand that your reseller or installer perform the necessary steps.
Nokia has just done that part for the customer already, the real question
in that case is how often they'll go back and do new patches. If you've
done it yourself, you can repatch, if they've done it, you can't- but if
you're to do it, you have to have (expensive) competent people on-hand.
It's just as easy to do with Linux or any of the open source BSDs
(actually easier with Linux.) In fact if you're just looking for a
stateful packet filter or very simple proxy, you could probably get away
with a single or dual floppy solution. A PC with 2 floppies and a hard
drive is fairly inexpensive (but not very resliant). As with anything,
there are tradeoffs to be analyzed and considered.
> In the low-price market, which gets more and more important, software
> solutions rule the market...
It's also worth noting that as routers and switches gain more security
features, and protocols become easier to tunnel over and increasingly
necessary, "hardware" and "appliance" firewalls have no utility after
they're obsolete. You can always redeploy a Sparc to become a Web
server, file server or Quake server.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
