Maintaining the Underlying Platform
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (27.41 KB, 2 trang )
Maintaining the Underlying Platform
As with any device on the network, firewalls run software (whether it is embedded in an
application-specific integrated circuit [ASIC] or runs from Flash memory or runs from a
disk file system) to be able to perform their functions. Typically, as in the case of the
Cisco PIX and ASA platforms as well as NetScreen and other vendor firewalls, these
firewalls run a custom operating system whose source code is not available to the general
community for review or tampering. If a bug or vulnerability is discovered by an outside
party, it is left to the manufacturer to develop a patch and release a new version of the
operating system to be installed by the end user to solve the problem. In addition, any
new feature added to the device is done according to the schedule of the manufacturer.
At the opposite end of the spectrum are the open source systems with firewall
capabilities. These include Linux, OpenBSD, and Solaris 10, to name a few. Each of
these systems' (Linux's NetFilter, OpenBSD's PF, and Solaris 10's IPFilter) firewall
source code is available for inspection by outside groups. This does not necessarily mean
that the filter code in these operating systems is better, but it can be more easily extended
by someone who has the skill set necessary to code the additional capabilities into the
software. However, each of these filtering systems runs under a more generic operating
system (Linux, OpenBSD, and Solaris, respectively), and therefore the possibility of bugs
or vulnerabilities (some tied to the filtering code and others not) may be greater because
the underlying operating systems are meant for more general use. Such systems require
care, patience, and effort to both maintain and to secure to ensure that the firewall is not
compromised. If a bug or vulnerability is discovered in one of these firewalls, the patch
for it is likely to be available sooner than a closed source appliance system. Typically,
this is because the number of people who may be able to provide a fix for the bug or
vulnerability is significantly greater than those involved in the development of
commercial closed source systems. This does not mean that vendors such as Cisco,
NetScreen, Watchguard, Linksys, and the like do not provide timely patches; in some
cases, it depends on the severity of the problem. Statistically, however, Linux and
OpenBSD bugs are fixed quickly relative to closed-source vendors
( />).
Consider the case of a firewall consisting of a simple Intel PC with two interfaces
running Fedora Core 4 Linux and NetFilter as the filtering firewall. The number of
packages in Fedora Core 4 is on the order of approximately 1500 packages (1806 to be
exact). Many packages may contain a bug that could result (however unlikely) in the
possible compromise of the system. In addition, the level of effort to secure the system
properly or to maintain the system may be beyond the capabilities of most people without
a sufficient technical background. For a more novice group of users, a packaged, closed
source system may be the better choice. A Linksys router/firewall, a Cisco PIX 501, or a
NetScreen 5XP may be better suited for the less-technically-savvy individual or for
someone who wants a closed source appliance because of the lower effort required to
configure and maintain it. Nevertheless, for those who are willing to make the effort and
for those who are skilled, an open source firewall can fit the bill.
Maintaining the underlying platform requires time. The more complex the underlying
platform, the more time required. This is where closed source appliances such as PIX,
NetScreen, and Linksys have an advantage. They provide a device that, although
configured and maintained by the user, eliminates many of the variables inherent in more
general operating systems. This makes it much easier for a less-experienced user to be
able to maintain the firewall.
