Archived from groups: comp.security.firewalls (
More info?)
In article <3d92b$40fd0d2c$45234d07$26840@allthenewsgroups.com>,
someone@some.one says...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b66d3cb97a0967f98a7bb@news-server.columbus.rr.com...
> > In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
> > badnews@hansenonline.net says...
> > > "Hardware firewall" has become (like it or not) synonymous with firewall
> > > appliance. Now the problem is how to define a firewall appliance ...
> > >
> > > The way I try to put it is: A firewall appliance is a dedicated unit
> > > that does not run a user-oriented operating system, has no regular
> > > computer connections (ie keyboard, mouse, monitor) other than ethernet
> > > and a console/serial port, and it's only task is to work as a firewall.
> > >
> > > That makes Pix a firewall appliance, as well as all the watchguards,
> > > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
> > > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
> > > meet these criteria.
> >
> > Very good example Lars - I'll have to remember this in the fight to
> > explain the different to people that are either trolls or just want to
> > argue.
> >
> > One other thing I use to separate "appliances" from non-appliances - can
> > you install any other (non-firewall) application on the device, if you
> > can, then it's not a firewall appliance. I can't think of one appliance
> > that I could install MS Office or SendMail on.
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> I'm not familiar with "hardware firewalls", never having used one. The term
> appliance seems a little awkward, but any way that you describe it, it would
> necessarily have to be software driven. The only question I would have
> would be the updating of the software in the "appliance" (hardware
> firewall). How often is this updated and how? Thinking further, I used a
> 2Wire DSL interface for a while a couple of years ago. Would this be
> classified as a "hardware firewall/appliance" that is being talked about?
The appliances are updated either through a serial port or through the
GUI provided by the vendor. All firewalls, as well as most computing
devices, are driven by some type of firmware or software. In the case of
an appliance, it's mostly firmware (something contained in a re-
programmable chip) that is loaded by a boot-block of code. The firmware
method only allows the updating with the same type of firmware - meaning
that I could not load OS2 in my Firewalls firmware and end up with an
OS2 computer.
The appliance route is a dedicated device that can not be used for
anything else (notice, I didn't say "is not used for anything else").
In the case of the WatchGuard firewalls, I have a vendor provided
application suite that runs on a computer, it interfaces with the
firewall over specific ports/protocols. The interface lets me monitor,
change rules, update firmware, etc...
The DSL router that you are provided (or Cable Modem) by your ISP is
considered a "hardware" appliance, as is your managed network switch,
your managed network aware tape vault. Your network switch (unmanaged)
is considered to be just hardware.
About 5 years ago the marketing types decided to start pushing Routers
with NAT as firewalls, they only offered inbound blocking, not because
of firewall rules, but, because of the way that NAT works. Routers that
provide NAT are not firewalls, they are routers. Sure, you can update
the firmware in them, but they are just routers - some of them are nicer
than others and provide some enhanced features, but, they are still just
routers.
A software firewall is something that gets installed on a
Computer/Server/Workstation that MAY also have other software installed
on it - even if it doesn't have anything other than an OS and the
application, it's still a software firewall (based on what we're
discussing here). In the early days I used a Windows NT box with Sygate
and two NIC's as a dedicated solution - it was a NAT/Proxy type
solution. I considered it to be just NAT/Proxy and nothing more, and not
an appliance, it was a software solution.
If I install ISA (MS's Firewall) on a dedicated computer, just for
acting as a firewall, it's still not an appliance, it's just a software
firewall (much like NIS or ZoneAlarm or the others).
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)