Dear Mr. Bertelsen,
Somehow, by mistake, this message was forwarded to me. I'll cc: it to the intended recipient.
Have a nice day!
> From: Lars Bertelsen <lbe @
> To: firewalls @
> Subject: Re: PIX and other "Black boxes" vs normal firewalls.
> Date: Saturday, October 11, 1997 1:06 AM
> In your message you write:
> >I am relativly new to firewalls (I have set up several with the TIS fwtk and
> >managed some others) and I am running into management that is saying we
> >need to
> >replace the Unix based firewalls with "black-box" firewalls (the CISCO PIX
> >used as an example). I would like to get info from both sides of the issue
> >before deciding which way to jump.
> >Current arguments are.
> >1. black-boxes are more secure as they do not run Unix which everyone
> >knows and
> >which has unknown security holes in it.
> Black boxes may have holes in them too. Blackboxes run off software and
> software has bugs!
> Cisco have made many bugfixes to their operating system over time.
> Oh, and Cisco's run on a small unix or very unix-like OS!
> The difference between Unix based firewalls and blackboxes in this respect
> is that if a blackbox has a hole in it, only the manufacturer can confirm
> and fix it. It is not that holes aren't existant!
> Oh, and Unix doesn't have security holes as far as I know... Certain
> servers running under Unix have security holes, but that is something
> entirely different. Don't run anything on your Unix boxwhich isn't both
> safe and necessary!
> That way Unix is safe.
> >2. black-boxes require less time to manage reducing the need for
> >firewall/security staff.
> No comment. I haven't set up a Cisco PIX.
> But I would assume that if it does as many things as a Unix based firewall
> the it will take roughly as much setup and maintainence.
> A router takes less setup than an application-firewall because it only does
> one thing: Filter on packets.
> >3. Unix based firewalls are more flexable as they can be tailored to the
> >specific application better then what the "black-box" designers decided was
> True. You can install and deinstall just what you want on a Unix box.
> Which sort og introduces :
> 4) Blackboxes are safer in inexperienced hands because you _can't_ change
> so much about them!
> Lars Bertelsen
> Gartnervang 29 tlf. 4635 1115
> 4000 Roskilde, DK e-mail of choice: lbe @