Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (27.41 KB, 2 trang )
Maintaining the Underlying Platform
As with any device on the network, firewalls run software (whether it is embedded in an
application-specific integrated circuit [ASIC] or runs from Flash memory or runs from a
disk file system) to be able to perform their functions. Typically, as in the case of the
Cisco PIX and ASA platforms as well as NetScreen and other vendor firewalls, these
firewalls run a custom operating system whose source code is not available to the general
community for review or tampering. If a bug or vulnerability is discovered by an outside
party, it is left to the manufacturer to develop a patch and release a new version of the
operating system to be installed by the end user to solve the problem. In addition, any
new feature added to the device is done according to the schedule of the manufacturer.
At the opposite end of the spectrum are the open source systems with firewall
capabilities. These include Linux, OpenBSD, and Solaris 10, to name a few. Each of
these systems' (Linux's NetFilter, OpenBSD's PF, and Solaris 10's IPFilter) firewall
source code is available for inspection by outside groups. This does not necessarily mean
that the filter code in these operating systems is better, but it can be more easily extended
by someone who has the skill set necessary to code the additional capabilities into the
software. However, each of these filtering systems runs under a more generic operating
system (Linux, OpenBSD, and Solaris, respectively), and therefore the possibility of bugs
or vulnerabilities (some tied to the filtering code and others not) may be greater because
the underlying operating systems are meant for more general use. Such systems require
care, patience, and effort to both maintain and to secure to ensure that the firewall is not
compromised. If a bug or vulnerability is discovered in one of these firewalls, the patch
for it is likely to be available sooner than a closed source appliance system. Typically,
this is because the number of people who may be able to provide a fix for the bug or
vulnerability is significantly greater than those involved in the development of
commercial closed source systems. This does not mean that vendors such as Cisco,
NetScreen, Watchguard, Linksys, and the like do not provide timely patches; in some
cases, it depends on the severity of the problem. Statistically, however, Linux and
OpenBSD bugs are fixed quickly relative to closed-source vendors