On 1/12/06, Per Jessen
Steve Graegert wrote:
On 1/12/06, Per Jessen
wrote: Kai Ponte wrote:
First, I would disagree with using ZA as a software firewall. Actually, from all I've read/seen, a good hardware firewall is all you should need. (Provided it is configured correctly.)
Kai, a hardware firewall is nothing but a blackbox running a software firewall.
Partially true,
Isn't it actually _completely_ true? Unless we've got a manufacturer with a box with a TCP/IP stack implemented as an ASIC, the firewall has got to be software. Splitting hairs, I know, but still.
This is exactly what manufacturers are doing. The stack is not implemented in a single ASIC, but distributed over multiple chips, which are sometimes pipelined (Cisco's implementation) or connected to complex matrices. Every ASIC performs highly specialized operations on the packets.
but most poeple (just as I do) understand the term "hardware firewall" as an advanced piece of hardware, application-level firewall and not just a simple port filter, which is what effectively every "software firewall" is doing.
Perhaps it's a matter of who "most people" are, but a firewall, whether hardware or software, is not much more than a port-filter. OK, with a few bells and whistles for detecting and dealing with certain kind of attacks (e.g. DoS). If I take a 486, install Linux and a decent iptables setup, I've got myself a solid hardware firewall - except of course, the firewall is really a software firewall.
A firewall can be much more than a port filter. As stated in my last
post, highly sophisticated application-level firewalls operate between
layer 4 and 7 of the OSI model, processing data contained in
application protocols. This is a fundamentally different approach
compared to port filtering. While it's of course possible to
implement application-level firewalls on stock hardware (e.g.
CheckPoint offers one for AIX), there are numerous products that have
implemented such functionality entirely in hardware. I have a Nokia
box which operates at the application level and, additionally, does
port filtering.
\Steve
--
Steve Graegert