On Fri, 21 Jan 2000, Frank Heinzius wrote:
> Hi Paul,
Gutten Tag/Abend/Nacht,
> > > We prefer dedicated appliances in contrary to firewalls based on general
> > > purpose OS for the following reasons:
> > >
> > > - more stability
> >
> > I've had general purpose OS-based firewalls with 7-800 days of uptime
> > before dropping them to put in a new NIC which was followed by another
> > couple years of uptime- I've also heard horror stories of early appliance
> > implementations dropping every few weeks, care to quantify "more
> > stabiltiy?"
>
> Yes you�re right concerning the deployment of this unit. But what if you
> have customers like "Oh-I-got-this-nice-Solaris-machine-why-not-install-a-
> Webserver-Ecommerce-insert-your-favorite-compromising-software-here".
> They exist :-(
Then you don't give them the root password :)
> > > - more security
> >
> > I've yet to see a packet filter that allows blocking of, for instance
> > hostile ActiveX controls, could you also please quantify "more security?"
> >
>
> If you have a kind of interface to external proxy agents, this can be
> done with 3rd-party stuff.
True, but this increases the complexity significantly, and creates a new
trust boundary that has to be managed and another machine, etc. That
negates the advantages of an appliance doesn't it?
> > >- higher performance
> >
> > In my experience, you get performance, or security - not both.
> >
>
> It should be balanced...
I don't think it can be balanced :(
You can't do proper enforcement at gigabit speeds, so we're stuck with
"whatever works and provides a little more security" instead of fixing the
true problems of bad protocols and insecure hosts.
You'd think the example of the "anti-virus" industry would be enough to
teach us...
> > >- ease of use
> >
> > The trend toward "easy" firewalls without the appropriate policies
> > is what makes most firewalls useful only against simple attacks. The
> > problem with "even an idiot could install it" is that the uninformed
> > *will* install them. Then they'll put Web servers on the internal
> > network, open half a gazillion ports for streaming
> > media/Netmeeting/whatever comes next and *think* they're "protected by the
> > firewall."
>
> This is a general statement. If you are a firewall expert, you sell
> training as well. If you have resellers, you train them. No firewall
> protects from misuse of the admin...
But again, if you have all of that infrastructure, the appliance doesn't
have the advantages it would have otherwise over a normal host-based
implementation, no?
> > geologically unstable areas. Flash is still very expensive compared to
> > disk, and I haven't seen any of the appliance manufactures address local
> > logging without using a hard drive.
>
> Logging shouldn�t be done on the appliance...loginfos should be sent to
> the management server.
That means you're adding another network trust boundary, another machine
which must be secured, making machines with management access to the
server, local network and physical plant significant audit points and
potential points of vulnerability...
It's a tangled web, no?
> > It's also worth noting that as routers and switches gain more security
> > features, and protocols become easier to tunnel over and increasingly
> > necessary, "hardware" and "appliance" firewalls have no utility after
> > they're obsolete. You can always redeploy a Sparc to become a Web
> > server, file server or Quake server.
>
> ...or install it on the firewall itself...it has been done :-(
Yep, but what's stopping the same from happening to your management
server? The fact that appliances are targeted at the un-informed or
ill-informed seems to make that more likely, not less-likely.
> Have a nice Weekend!
You too!
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
