mailing list archives
RE: Firewall/Router: Dedicated Server or Appliance?
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Wed, 2 Nov 2005 14:14:03 -0700 (MST)
David Gillett wrote:
Collective wisdom is that one should run as little extraneous
code as possible on a firewall, not least because flaws in that
additional code may enable bypass of the firewall functionality.
You know, prior to Cisco getting egg on its face recently for a slew of
different security issues/exploits, that might have been dogma in some
quarters. But. Hardening can usually be done regardless of what software
lays underneath. Some software platforms are just simpler to begin with,
which is where this philosophy comes from.
Problem is, many of the libraries used to build the software, not to
mention some security implementations, have opened up holes that surprised
lots of us out here in Industry.
Much of the security really depends on what services/features you're
after. If you only allow desktops to go out and no inbound traffic, darn
near anything can do the job...if it's SPI capable. If you want to
protect webservers, application servers, etc, that opens up some holes,
regardless of firewall implemented. Then, you have the application
layer...do you want a firewall that can protect on that level, too?
But, there is some logic to your point. A simpler, more fine tuned tool
is theoretically more secure because there's less to tighten down.
Does it always work out that way? Not really. But it's not a terrible
rule of thumb...just over simplified.
Bryan S. Sampsel