|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall: dedicated equipament x Unix workstation
David Bonn (David.Bonn
watchguard.com)
Fri, 2 Oct 1998 13:01:39 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Chris Brenton: "Re: Can a port be spoofed?"
- Previous message: arkeltex.ru: "Re: User Friendly?"
- In reply to: Chris Hughes: "User Friendly?"
- Next in thread: Matthew Patton: "Re: Firewall: dedicated equipament x Unix workstation"
>>>>> "Carlos" == Carlos Henrique Bauer <baueratlas.unisinos.tche.br> writes:
Carlos> Some people believe that firewalls running in a dedicated network
Carlos> device are more secure than the ones running on a generic Unix
Carlos> workstation.
Carlos> Is that true, a myth or just a matter of taste?
I've got biases because I profit from firewalls as a dedicated network
device. I'll make some bald assertions that I think most people will
agree with:
o One can best avoid security risks associated with a piece of
software by not using that piece of software.
o The difficulty of evaluating the security of a system increases
very rapidly as the complexity of the system increases.
o Factors contributing to the complexity of a system are: size
of the code ("lines" of code, instructions, whatever), number of
subsystems, number of interfaces between subsystems, number of
vendors.
o You can't do an evaluation of the security of a system if you
can't vet the source code.
o Knowable risks are generally better than unknowable risks.
These are all motherhood and apple-pie issues. I don't think it is
reasonable to compare apples to oranges, so comparing a packet
filtering router to a Unix box running a bunch of application gateways
probably doesn't make a whole lot of sense.
Let's look at it from a vendor perspective. The vendor of a firewall
appliance likely has all of the source code, from device drivers to
operating system kernel (obviously they have sources to all of their
firewall software too), so they are in a position to at least evaluate
security risks. Appliance vendors also have an economic incentive to
keep the firewall code as small as possible, since this directly
reduces the cost of goods (larger flash rams rapidly get more
expensive, although this argument is much softer with hard disk
drives).
On the other hand, a host-based firewall has a much bigger set of
risks. Evaluating the host operating system is much more problematic
(how many host-based firewall vendors vetted the operating systems they
run under?). Device drivers make this worse, since the set of drivers
is potentially quite large and even more difficult to evaluate.
Keeping current with security patches may well require the customer to
integrate patches from two or more vendors. So the vendors ought to
be vetting those patches too. The situation doesn't scale very
well.
My $.02. Like I said, I'm biased.
David Bonn, CTO
WatchGuard Technologies, Inc.
david.bonnwatchguard.com
- Next message: Chris Brenton: "Re: Can a port be spoofed?"
- Previous message: arkeltex.ru: "Re: User Friendly?"
- In reply to: Chris Hughes: "User Friendly?"
- Next in thread: Matthew Patton: "Re: Firewall: dedicated equipament x Unix workstation"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:55 CDT