The Cisco IOS, and subsequently the PIX IOS (not sure about the latest
version, they've changed it from what I understand), both deal with
packets at a much lower level in the IP stack than your Linux example.
With Linux, and any other non-router OS, the packets have to travel to
layer 7 before ACLs are applied. On machines which do not separate the
IP stacks by NIC, this can allow a hacker to jump a lower layer and
bypass the ACLs. I believe that most software firewalls now separate the
stacks, I know Sidewinder does, so this may not necessarily apply to
yours.
In a very simple example, which is faster at routing between networks: A
dual-homed Linux box or a dual-interface router. While the difference
isn't as significant there, it multiplies when access lists are applied.
Mickey
-----Original Message-----
From: Nick Edens [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 9:47 AM
To: [EMAIL PROTECTED]
Subject: Re(2): Hardware Firewall vs Software Firewall
I am very confused about this. Doesn't a hardware firewall have the same
physical hardware as a computer? (ie. cpu, memory, network cards) And
doesn't a hardware firewall have to have some sort of software to make
the hardware work? (ie Ciscos router software) That to me sounds just
the same as a linux firewall. In my opinion a linux box running as a
firewall should not be any slower than a hardware firewall (given that
the linux box is not running any other services on it). I was under the
impression that all a hardware firewall gave you was someone to go to
for support and questions. I would be very interested in seeing the
results of some tests showing that a linux firewall was actually slower
than a hardware firewall. Any comments or test statistics would be
greatly appreciated.
- Nick Edens
Checker Distributors
Mickey S. Olsberg (9/20/01 2:30 PM):
>I don't know if anyone has addressed this yet, but most of the reasons
>for choosing a hw firewall over a sw one is purely throughput. A
>software firewall, while more robust and much more configurable (for
>things like mail filtering), takes a lot more time to pass packets than
>a hardware firewall, and as such cannot handle the sheer load or
>bandwidth utilization that a hw one can. Think of a hardware firewall,
>such as the PIX, as a glorified router with specialized Access Control
>Lists, hence the reason for it being faster.
>
>My .02,
>Mickey
>
>-----Original Message-----
>From: Luke LeBoeuf [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 11:42 AM
>To: 'satyam'; [EMAIL PROTECTED]
>Subject: RE: Hardware Firewall vs Software Firewall
>
>
>Hard Ware with proprietary IOS.
>
>Luke S. LeBoeuf
>
>Riptech, Inc.
>Real-Time Information Protection
>(c)703.593.6127
>(e)[EMAIL PROTECTED]
>http://www.riptech.com/
>
>
>-----Original Message-----
>From: satyam [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 19, 2001 1:51 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Hardware Firewall vs Software Firewall
>
>Hi
>what is Cisco PIX
>a s/w or h/w firewall?
>
>regards
>dp-newbie
>
>----- Original Message -----
>From: Leytens Francois X. <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>; Shaun Prince <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: 18 September 2001 13:48
>Subject: RE: Hardware Firewall vs Software Firewall
>
>
>Hi all,
>
>About this ambiguitus subject, my experience is that :
>
>A software firewall is set on an OS and often, the OS present more
>security holes than any software firewall. The other fact is that one
>of the simpliest info to get is the OS brand and version and therefore
>it is very easy to check all vulnerabilities about that OS. You must
>then secure your OS and then install your firewall and secure it. You
>need to upgrade both OS and firewall as well as maintaining both. The
>fact that a software firewall is cheaper is true but don't forget to
>had the hardware price and the OS license. Also, the IP stack with all
>the networking hardware on the computer might give you limitations.
>
>A hardware firewall usually work closer to the hardware and most of the
>time is integrated to the hardware OS. Often, this OS is unknown and
>hard to attack (I said often and not all the time). When you need to
>patch your firewall, the patch are very often (again) for both OS and
>firewall and you don't need to care about patches for one or the other.
>In this case, the networking hardware and the IP stack are often better
>and more integrated.
>
>You can even work with a mix of the two (like the nokia one) which is a
>dedicated hardware with a dedicated OS (based on BSD) and with a
>checkpoint licence install on it. In this case the upgrade and
>maintenance are still the same as the hrdware box but working with a
>software product.
>
>In my point of view, the most critical point to check to make you
>decision is the thruput you need across your firewall.
>
>Hope this can help
>
>regards
>
>Francois X. LEYTENS
>
>********************************
>Francois X. LEYTENS
>Directeur - Ingénieur
>SEDELEC SA VALAIS
>Rue du Chemin de Fer 24
>Case Postale 16
>1958 St Leonard
>--------------------------------
>Tel : +41 27 205 6000
>Direct : +41 27 205 6002
>Mobile : +41 79 205 6002
>Fax : +41 27 205 6001
>Email : [EMAIL PROTECTED]
>********************************
>
>> -----Message d'origine-----
>> De: Devdas Bhagat [SMTP:[EMAIL PROTECTED]]
>> Date: samedi, 15. septembre 2001 08:35
>> À: Shaun Prince
>> Cc: [EMAIL PROTECTED]
>> Objet: Re: Hardware Firewall vs Software Firewall
>>
>> On Fri, 14 Sep 2001, Shaun Prince spewed into the ether:
>> > Could anyone explain to why most people prefer to use software
>> > firewalls
>> as
>> > opposed to using a hardware firewalls?
>> At some point, your firewall is software. If it was purely hardware,
>> you would not be able to configure it in anyway other than the
>> default
>
>> settings. The benefits of a hardware (or rather firmware) based
>> firewall is that most work is done very close to the hardware, as
>> opposed to the usual software firewall which runs on an OS, or in an
>> OS kernel. The biggest advantage of a software firewall is that it is
>> cheaper, and easier to upgrade and maintain than a hardware firewall.
>> My recommendation would be to go with what you can secure properly
>> and fits in your budget.
>>
>> Devdas Bhagat
>> --
>> Power corrupts. And atomic power corrupts atomically.
