SLOTD: why buy a firewall?

OK - so I was at a very interesting customer today, and conversation swung around to "defense-in-depth" and that bastion of IT security, the firewall.[1]

We were in the midst of some on-the-fly rearchitecture discussion (read: "if we replumb it all in a more elegant fashion, what needs to be fixed or added in order to make it safe?") and it turned out that an extra firewall to demarcate a line between some public and private machines, would make matters a lot more secure.

"It'll cost a lot, this new firewall", says their long-haired sysadmin.

"Why", says I?

"Firewall license" says he, and names a largeish four-figure number. Eek. That's more than the hardware!

So one of the things I've never understood - and I've told him this - is why the "Cult Of Firewall" is such that only a "dedicated box or appliance" running "genuine firewall software" for which $$$$$$ are paid, is what people go running towards whenever firewalls are mentioned.

Sure, in an enterprise context where people bandy words like "five nines" (ie: 99.999% uptime) - or "extreme(ly) high availability", or where you need "management consoles" - then do buy an enterprise solution where you might be able to sue the vendor if it blows up.

But if you are a small-to-medium organisation with your own in-house pet geeks, then why not take advantage of general-purpose functionality of general-purpose operating systems and deploy Solaris, Linux or \*BSD as a firewall? Consider your choice carefully, minimise it to the utmost, but it'd be a lot cheaper and often perfectly adequate and more than adequately performant.

I started at Sun in 1992 and if I had had more business sense back then, and if I had had more money, then I would have cottoned on to the number of SparcStation2's that I was buying, to act as "routers" for our intranet. This observation might have led me to invest in Cisco and its dedicated routers, and made me a tidy profit. Oh well.

But the thing about IT security is that "what goes around, comes around". Maybe it's time for the comeback of the general-purpose operating system, in tiny tasks, on more-than-adequately-powerful hardware?

- alec

[1] yes, this is an intentional pun. :-)


I think one 'pro' for having a firewall appliance from one of the big names (Cisco, Junipter, etc.) is that it's standardized to some extent and there's a pool of people with Official Papers (read: certification) for them.

I think that IPFilter/PF/iptables would be just as effective if not more (see OpenBSD and CARP/pfsync for reliability), but your pool of potential people can shrink. Anyone competent can use these tools, but in megacorp that can be something hard to find sometimes. :)

Also, this "someone to sue" excuse is something I find complete BS. Have people actually read the EULAs on commercial software? Specifically the parts about "not fit for any particular purpose" and "no warranty".

Posted by David Magda on April 26, 2007 at 10:20 AM PDT #

Also, this "someone to sue" excuse is something I find complete BS.

Generally I agree with you on that, but it's an attitude that I see a lot, and moreover any amount of disclaimerage does not seem to stop people \*trying\* to sue. It seems to be the way of things, and what you can manage to disclaimer is not necessarily the same in all jurisdictions. Sometimes it's just hot air.

One of the things that I \*do\* really like about the general-purpose-machine firewall solution is the \*difference\* of it; this verges on tautology but put more plainly I still have a fear of "monoculture syndrome" where the same firewall software deployed everywhere - or disparate firewall systems managed and configured by a single tool - might all be knocked-down by a single flaw which is common to all implementations or configurations.

I appreciate security as art, and when someone implements a firewall complex simply and properly with "multiple, independent, different, mutually-reinforcing security technologies", it's \*beautiful\* to me.

Having big-name firewalls and unified management infrastructures may lower TCO, but it's neither beautiful nor simple nor proper. :-)

Posted by alecm on April 26, 2007 at 08:51 PM PDT #

OK, it's all about requirements and resources. What are the set of solutions that meet your requirements and who do you have available to provide care and feeding. For the generic company firewall, I agree with David on the availability of certs to manage it.

For me personally, I've been very happy with the WRAP ( hardware with M0n0wall ( The appliance platform is very reliable, has the right number of ports and is a disk-less, fan-less appliance. However I now see that it is going to be discontinued. The software meets my needs for configuration control (more for the IT professional than the Average Joe Consumer). The only times my firewall has been rebooted is because I upgraded the firmware with a new version of the firewall software.

In the consumer SOHO personal firewall space, I've recently tried this ( and this ( Comments reserved on these. Steve

Posted by Steve Lodin on April 27, 2007 at 01:09 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« April 2014