Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Firewall "appliances" (was Re: External Load Balancing)

Firewall "appliances" (was Re: External Load Balancing)

From: Kevin <kkadow_at_gmail.com>
Date: Tue, 11 Jan 2005 19:32:22 -0600

On Mon, 10 Jan 2005 17:26:05 -0700, Mark Teicher <mht3_at_earthlink.net> wrote:
> A majority of vendors who build appliances build it for one reason. They
> do not have to hire a bunch of highly skilled technical people for customer
> support. Provide a nice color glossy diagram with lots of circle and
> arrows, and the customer(s) are enjoying their appliance purchase, not
> unlike the early days of firewalls, where most companies stated: "Oh yeah
> our stuff works on that variant of Unix or Windows" But in reality, one
> needed a Phd to configure the underlying O/S just the right way before the
> firewall application could be installed, all this with technical support on
> the phone or on site.

No argument here. There are plenty of faulty "appliance" products,
and plenty of "appliances" which, under the hood, turn out to be stock
installations of Red Hat.

In the case of firewalls, I'd argue that there is a difference in kind
between a firewall appliance like PIX (running a minimalistic embedded
OS which now exists solely to support PIX) and something like
"Sidewinder" which is marketed as a firewall appliance but actually
runs a highly customized version of BSD which has been stripped down
to the point that it is not really useful for anything else.

I'm not saying that one is "better" or "more secure" than the other,
just that they are vastly different devices -- the PIX is what I'd
term a "true appliance", while the Sidewinder is an "appliancized
Unix". Each has strengths and weaknesses.

With the PIX, there really isn't much of any underlying OS to
configure. This limits functionality, but also eliminates the need
for a Phd to fine-tune the finicky little bits under the hood. The
downside being, you don't have the option of fine-tuning and
customized the underlying OS if you so choose, but then, neither does
an intruder.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 14 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos