Firewalls: Re: PIX and other "Black boxes" vs normal firewalls.

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: PIX and other "Black boxes" vs normal firewalls.
From:	"Narednik" <narednik @ worldnet . att . net>
Date:	Mon, 13 Oct 1997 21:43:42 -0700
To:	"Lars Bertelsen" <lbe @ login . dknet . dk>
Cc:	<firewalls @ GreatCircle . COM>
Reply-to:	<narednik @ worldnet . att . net>

Dear Mr. Bertelsen,

Somehow, by mistake, this message was forwarded to me.   I'll cc: it to the intended recipient.

Have a nice day!

Sincerely,

Ivan

----------
> From: Lars Bertelsen <lbe @ login . dknet . dk>
> To: firewalls @ GreatCircle . COM
> Subject: Re: PIX and other "Black boxes" vs normal firewalls.
> Date: Saturday, October 11, 1997 1:06 AM
>
> In your message you write:
>
> >I am relativly new to firewalls (I have set up several with the TIS fwtk and
> >managed some others) and I am running into management that is saying we
> >need to
> >replace the Unix based firewalls with "black-box" firewalls (the CISCO PIX
> >being
> >used as an example). I would like to get info from both sides of the issue
> >before deciding which way to jump.
> >
> >Current arguments are.
> >
> >1. black-boxes are more secure as they do not run Unix which everyone
> >knows and
> >which has unknown security holes in it.
> >
> Black boxes may have holes in them too. Blackboxes run off software and
> software has bugs!
> Cisco have made many bugfixes to their operating system over time.
> Oh, and Cisco's run on a small unix or very unix-like OS!
> The difference between Unix based firewalls and blackboxes in this respect
> is that if a blackbox has a hole in it, only the manufacturer can confirm
> and fix it. It is not that holes aren't existant!
>
> Oh, and Unix doesn't have security holes as far as I know... Certain
> servers running under Unix have security holes, but that is something
> entirely different. Don't run anything on your Unix boxwhich isn't both
> safe and necessary!
> That way Unix is safe.
>
>
> >2. black-boxes require less time to manage reducing the need for
> >firewall/security staff.
> No comment. I haven't set up a Cisco PIX.
> But I would assume that if it does as many things as a Unix based firewall
> the it will take roughly as much setup and maintainence.
> A router takes less setup than an application-firewall because it only does
> one thing: Filter on packets.
>
>
> >
> >3. Unix based firewalls are more flexable as they can be tailored to the
> >specific application better then what the "black-box" designers decided was
> >needed.
> True. You can install and deinstall just what you want on a Unix box.
>
> Which sort og introduces :
> 4) Blackboxes are safer in inexperienced hands because you _can't_ change
> so much about them!
>
>
> Lars Bertelsen
> Gartnervang 29         tlf. 4635 1115
> 4000 Roskilde, DK      e-mail of choice: lbe @ login . dknet . dk
>

Indexed By Date	Previous:	[no subject] From: SHOCK9881 @ duq3 . cc . duq . edu
Indexed By Date	Next:	Re: POP across a firewlll... From: Marek Kubita <marek @ corpus . cz>
Indexed By Thread	Previous:	Re: PIX and other "Black boxes" vs normal firewalls. From: "Mark Teicher" <mark-teicher @ worldnet . att . net>
Indexed By Thread	Next:	Re: PIX and other "Black boxes" vs normal firewalls. From: Bruce Byrd <byrd @ internetdevices . com>