Not trying to start a flame war here, but I would have to disagree. I can show you more exploits for software firewalls then hardware firewalls.
Firewalls are generally as good as the person setting them up. If you know how to setup and configure a hardware firewall then you are well protected. Software firewalls, OTHO, can be buggy because of poor programming.
ahh but see depending on how well you are at
Reverse engineering you can take the flaws of any program and reduce them greatly, and customize it to your needs.
As with a hardware system it is much more difficult to achive that.
------------------
You Do Not Know The True Power Of The DarkSide
"Quoted By ExarKun From Dark Lords Of The Sith " 4000 Years Before Vader Said It
Very true, and good point. But how many people do you know that are able to do that? For a typical Joe Schmoe user that will be hard to achive. Then again a typical Joe Schmoe user won't be able to configure a hardware router/firewall either, hehehe.
HAHA I wasted four years of my life in college and all it got me was to work for msn.com woo. hoo. (hint of sarcasm), True most people do not have the ability to program any computer language besides html, but the ones who do should.
------------------
You Do Not Know The True Power Of The DarkSide
"Quoted By ExarKun From Dark Lords Of The Sith " 4000 Years Before Vader Said It
Hardware firewalls ARE better, becuase there's no underlying OS to crash. That is the fundamental flaw of any (yes even Linux) firewall. I crash the OS, and the firewall is gone. With hardware, you have to defeat firmware code, which runs much faster, and is MUCH harder to defeat.
There's a reason big companies use Cisco PIX boxes and Redcreek gear. Properly configured (always the key) they are much more resitant to both brute force attacks, and other more subtle forms of hacking.
However, it's again a cost issue, a Cisco PIX can easily be upwards of 20000 dollars. If the whole of the data and the systems being protected isn't worth that much, or if you have a good auto backup policy in place, then it's simply not cost justified, and a software firewall is at that point, a much better solution because it works almost (not quite, but almost) as well.
As for me, I use Conseal. I like it more than BlackIce, though BI does have a cooler Gibson inspired name.
Regards,
-Bouncer-
[This message has been edited by Bouncer (edited 03-20-2000).]
"Hardware firewalls ARE better, because there's no underlying OS to crash. That is the fundamental flaw of any (yes even Linux) firewall. I crash the OS, and the firewall is gone."
Actually, that's not quite true. Hardware firewalls run on compiled source code (usually C/C++ or Ada--with some inline ASM to do the hardware control). You can't compile source code to a binary without some sort of program loader (typically this is referred to as an operating system--I'm using CM and CMS2 to support this claim, as they both probably have the most "lightweight" background OS, and have been the standard for most defense and military embedded systems that have been in existance from 1968 to 1983, when Ada replaced it as the standard).
As for the statement, "I crash the OS, and the firewall is gone." That's true enough, but if the intent of my firewall is to keep prying eyes out of my files (which is the typical home user's concern), then crashing my OS is a mute point. If you crash my OS, you can't get my files. Even if you rebooted my machine it would do you no good, as the firewall boots prior to the network. (Also, if the firewall is a separate machine, it tends to be the proxy/gateway as well--so, if it's down you can't get to the machines you want to anyhow) Further, software based firewalls, in the unices at least, use IP filtering, and if properly configured it will do about 95% of the work a hardware firewall would do at more than half the price. Granted, that 5% difference would mean a lot if you are running a full scale corporate network, but, for the home user it's not worth the extra cash.
In either case, hardware or software, there will be some holes in it down the road as technology advances. Which is why both types of firewalls have regular software updates published.
[This message has been edited by Stu (edited 03-21-2000).]
[This message has been edited by Stu (edited 03-21-2000).]
Please, be careful about taking statements out of context. There's no point in arguing one sentence of a four paragraph post, if you ignore the context in which it was written. I will apologize though, for not being as clear as I could have been. For the record, I was referring to software firewalls in the following paragraph, wherever I do not say "hardware firewalls":
"Hardware firewalls ARE better, becuase there's no underlying OS to crash. That is the fundamental flaw of any (yes even Linux) firewall. I crash the OS, and the firewall is gone. With hardware, you have to defeat firmware code, which runs much faster, and is MUCH harder to defeat."
So actually, taken in context, the statement IS true, because firmware code is not only faster, being closer to the physical parts, it's also much more resistant to boot interruption and other service attacks.
You can argue that firmware is or is not an OS all day long. I take the view that since the code is implemented without going through more than one translation layer, it's not an OS, and that the translation layer itself does not count as an OS unless and until it performs functions with more than one piece of software/hardware. Otherwise, every software driver out there for every video card could be considered an OS.
I never wrote to the intent of the attack. I didn't say whether it was to invade the box, some other device or simply to halt traffic.
I can think of a couple of firewalls that do NOT boot before the network. Again, we can argue back and forth forever and not move anywhere. I would point out though, that if I can load a trojan before you load your firewall...the question of when the network loads becomes moot.
Stu, I'm not trying to fight you on this, as I said in my original post it's really a cost issue. For most folks, a software firewall is fine, I use one myself. I would simply point out that major corporations and Government agencies rely on hardware firewalls, and not software ones. And that there are very good reasons for that. It IS closer to hardware, it IS faster, it IS more robust. Conclusion, it IS a better firewall.
I didn't mean that to sound as if I was "attacking" your post, but rather, pointing out that your statement might/could be interpretted as applying outside of your intended scope.
As for firmware (embedded systems) running on an OS or not, (I'll try not to get too off track here) but I write embedded systems for a living, and they do require an OS/loader for intial execution--however once executed the OS/loader can be completely ignored. That doesn't mean that it goes away though (it constantly monitors program status to see whether A) it's running; B) if it's not it will reload the program; and C) whether processes are lost or not (this last part tends to be true for mostly higher end embedded systems, like airplanes, military weapon systems, etc.)). Don't misunderstand what I'm saying here, these OS/loaders by no means are some elaborate system that supports complex shells or anything like that (unless they are on a high end system), basically all they do is tell the device "run this" and occationally check to make sure that it's running. Granted, it might not "seem" like an OS compared to what most people are comparing it against (Windows, Linux, BSD, etc.).
Finally, I do agree that the hardware firewall is the better firewall, I never said I didn't. My only point was that for the cost for the increased security, it is bit out of the typical home user's budget for a small percent increase in security. Although, I have seen some of these lower priced hardware firewalls out there from companies like Linksys and WatchGuard that look like a step in the right direction. So, it will be interesting to see what happens in the future (will we all have hardware firewalls this time next year?)...
[This message has been edited by Stu (edited 03-22-2000).]
What is the best firewall
Posting Permissions
Reply With Quote
Bookmarks