Well, ignoring the ASIC confusion question - does it run any code in RAM?
I'm more than happy to eat my words about there being no hardware firewalls
if it doesn't...
To elaborate on my (personal) definition of a hardware firewall, a CPU is
hardware. You feed an instruction and some registers in, you get, stuff
out. It's provable, and it's burnt in. The only way to modify its behaviour
is to get another a CPU with a different chip rev. A hardware firewall would
be like that - there are ASICs on the NIC, there's a bus, and then there's
some chip that takes the packet as an input and it either gets through or it
doesn't.
This is not to say that hardware is foolproof - the Intel hlt instruction is
an obvious counter-example. In fact, I really doubt whether a hardware
firewall would be practical at all - but I think that using the perception
of "hardware == secure" to sell software-based firewalls is evil and wrong.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: acs [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 06, 2001 12:44 PM
> To: Ben Nagy; 'Steven Pierce'
> Cc: [EMAIL PROTECTED]
> Subject: Re: Hardware or Software
>
>
> So is netscreen a firewall? I would call it a packet
> filter/vpn.
> It uses custom ASICS..
>
> acs
>
>
> --- Ben Nagy <[EMAIL PROTECTED]> wrote:
> > I think a better definition is that a "hardware
> > based firewall" would need
> > to run dedicated ASICs (or whatever) for all
> > firewall functions.
> >
> > Anything that uses any kind of code that runs in
> > read / writeable RAM is a
> > software solution. And yes, that includes firewalls
> > that boot from read-only
> > media.
> >
> > Any other definition is sophistry. A Cisco PIX is no
> > more "hardware" than a
> > linux box running iptables.
> >
> > As far as I know there are no extant hardware based
> > firewalls. None. Nil.
> > Zip.
> >
> > Cheers,
> >
> > --
> > Ben Nagy
> > Network Security Specialist
> > Marconi Services Australia Pty Ltd
> > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> >
> > > -----Original Message-----
> > > From: Steven Pierce
> > [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, July 06, 2001 11:13 AM
> > > To: Zachary Uram
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: zone alarme and udp 44767
> > >
> > >
> > >
> > >
> > > Zachary,
> > >
> > > A hardware solution is one that is like a machine.
> > So if you
> > > took a router that had a firewall built into it
> > > that would be a hardware solution. Anything that
> > is
> > > physically on your desk,etc is hardware. Software
> > is
> > > anything installed on the machine, so zonealarm
> > would
> > > software. Now you can have hardware and software
> > also.
> > > If you have Linux (Any Flavor) installed on a old
> > 486 that
> > > would be both hard and soft.
> > >
> > > Does that help??
> > >
> > > Steven
> > >
> > > If anyone on the list would like to add to this
> > please do, or
> > > if I am off base please let me know.
> > >
> > > S
> > >
> > > *********** REPLY SEPARATOR ***********
> > >
> > > On 7/4/2001 at 01:12 Zachary Uram wrote:
> > >
> > > >eh?
> > > >what is a 'hardware solution'?
> > [...]
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
