Tom Shinder on “hardware” firewalls

Tom Shinder of ISAServer.org takes an amusing shot at the myth in some circles that a “hardware” firewall or “firewall appliance” offers more security than a Microsoft ISA Server firewall.

Tom Shinder on “Hardware” firewalls

I was drawn to a particular quote in his article about the relative security of ISA Server to other popular firewalls in the context of the number of reported security vulnerabilities for each product.

A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall.

There are a lot of firewall appliances out there so I didn’t do an exhaustive search of their stats on Secunia, but I did take a look at the stats for ISA Server, Cisco Pix, and OpenBSD as those are the three firewalls I am most familiar with in my professional life.

ISA Server

secunia_isa2004.JPGsecunia_isa2006.JPG

Cisco Pix

secunia_pix6.JPGsecunia_pix7.JPG

OpenBSD

secunia_obsd3.JPGsecunia_pix71.JPG

I found those numbers to be pretty interesting. It is not unusual to have a customer request that a two-tiered firewall infrastructure be implemented on their environment. Often this means they request that some type of “appliance”, be that a Cisco Pix or some other third party box painted red and given a secure sounding name, be placed between the internet and the ISA Server that we are implementing for them. Sometimes this is based on the principle of defense in depth, whereas other times it is based on a false belief that a product from Microsoft couldn’t possibly be secure. Maybe if they saw the stats above they would think otherwise.

Related Articles:

Comments

  1. Ray says

    First off, there’s no such thing as a “hardware firewall” unless it runs on pulleys, valves and relays. They all run on software whether it’s stored on hard drives on in firmware.

    Secondly, all software is written by humans who make mistakes and mistakes can be just as bad in firmware or on hard drives.

    Thirdly, any half-decent firewall can protect the device it’s installed on whether it has hard drives or not.

    Lastly, appliances? T’ain’t no such thing. Single-purpose servers might be a better description, but with CIO’s on a “server consolidation” kick, an “appliance” doesn’t count against their server total. If it’s got an operating system and it has to be maintained, it’s a server (or a desktop).

    Ray

  2. says

    Ray, I pretty much agree with you on all counts there. The terms “hardware firewall” and “security appliance” are very much marketing terms which tend to confuse the non-technical person who controls IT spending into thinking they are buying the better product. Actually some very technical people put too much weight on those terms as well.

    Thankfully there is the ISA appliance to sell to them if they can’t let go of that terminology ;-)

Leave a Reply

Your email address will not be published. Required fields are marked *