Re: Hardware vs. Software firewall reliability

["Marcus J. Ranum" <mjr () nfr net>]

Bill Stout wrote:
> I notice that more firewalls are of the hardware type.

Yup. It's because vendors are sick of being tortured over operating
system issues, so they choose to hide it. If you come out with an
overtly UNIX product, the NT heads will scream until you make an NT
version and then the various UNIX factions will bicker over which
UNIX flavor and hardware you support. It's a nightmare. :) So the
vendors just say, "ok, it's a black box. keep out." It's especially
important since customers want to be cost-conscious, and if the product
is going to run on an *86 machine, then you've either got the problem
that the customer has to install NT (joy!joy!) or find a hardware
platform that works reliably for whichever UNIX you use (joy!joy!).
It's a massive pain all around, and of course, pain for the customer
always reflects on the vendor.

> It seems that over
> time the hardware firewalls have become more robust, and with the minimal
> configuration involved, lack of mechanical devices (disks) and underlying OS
> to fiddle with, seem to have higher MTBF ratings than software firewalls.

It's really more a matter of avoiding user error than anything
else. If it's a black box, you don't have to worry about your
customer hosing the password file (if it's UNIX) or zapping the
wrong registry entry (if it's NT). The hardware these things run
on are all about the same. You can get very good hardware configs
that have redundant power, etc, etc. That's just a matter of money.

> Seems that many on the list have predicted the rise of the hardware firewall
> and 'death' of the software firewall.

I did, in about 1992. :) But we made software firewalls because,
at that time, it was hard to get a zero-cost operating system that
was any good. Nowadays, you can get zero-cost operating systems
that are nearly good, assuming you're willing to spend a full
time employee fiddling with them.

> What is the current feel of hardware vs. software firewalls?

I figure in a few years firewalls, intrusion detection systems,
and most dedicated servers will be appliances -- unless there
remains a large corps of dedicated folks who _enjoy_ screwing
around with operating systems. (I mean, I _enjoy_ it, but as a
hobby, not part of my job. My job is to make things work, and
fiddle-ware isn't attractive to senior management in most places
anymore)

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr