Maintaining the Underlying Platform

As with any device on the network, firewalls run software (whether it is embedded in an application-specific integrated circuit [ASIC] or runs from Flash memory or runs from a disk file system) to be able to perform their functions.
Nội dung trích xuất từ tài liệu:
Maintaining the Underlying PlatformMaintaining the Underlying PlatformAs with any device on the network, firewalls run software (whether it is embedded in anapplication-specific integrated circuit [ASIC] or runs from Flash memory or runs from adisk file system) to be able to perform their functions. Typically, as in the case of theCisco PIX and ASA platforms as well as NetScreen and other vendor firewalls, thesefirewalls run a custom operating system whose source code is not available to the generalcommunity for review or tampering. If a bug or vulnerability is discovered by an outsideparty, it is left to the manufacturer to develop a patch and release a new version of theoperating system to be installed by the end user to solve the problem. In addition, anynew feature added to the device is done according to the schedule of the manufacturer.At the opposite end of the spectrum are the open source systems with firewallcapabilities. These include Linux, OpenBSD, and Solaris 10, to name a few. Each ofthese systems (Linuxs NetFilter, OpenBSDs PF, and Solaris 10s IPFilter) firewallsource code is available for inspection by outside groups. This does not necessarily meanthat the filter code in these operating systems is better, but it can be more easily extendedby someone who has the skill set necessary to code the additional capabilities into thesoftware. However, each of these filtering systems runs under a more generic operatingsystem (Linux, OpenBSD, and Solaris, respectively), and therefore the possibility of bugsor vulnerabilities (some tied to the filtering code and others not) may be greater becausethe underlying operating systems are meant for more general use. Such systems requirecare, patience, and effort to both maintain and to secure to ensure that the firewall is notcompromised. If a bug or vulnerability is discovered in one of these firewalls, the patchfor it is likely to be available sooner than a closed source appliance system. Typically,this is because the number of people who may be able to provide a fix for the bug orvulnerability is significantly greater than those involved in the development ofcommercial closed source systems. This does not mean that vendors such as Cisco,NetScreen, Watchguard, Linksys, and the like do not provide timely patches; in somecases, it depends on the severity of the problem. Statistically, however, Linux andOpenBSD bugs are fixed quickly relative to closed-source vendors(http://csoinformer.com/research/solve.shtml).Consider the case of a firewall consisting of a simple Intel PC with two interfacesrunning Fedora Core 4 Linux and NetFilter as the filtering firewall. The number ofpackages in Fedora Core 4 is on the order of approximately 1500 packages (1806 to beexact). Many packages may contain a bug that could result (however unlikely) in thepossible compromise of the system. In addition, the level of effort to secure the systemproperly or to maintain the system may be beyond the capabilities of most people withouta sufficient technical background. For a more novice group of users, a packaged, closedsource system may be the better choice. A Linksys router/firewall, a Cisco PIX 501, or aNetScreen 5XP may be better suited for the less-technically-savvy individual or forsomeone who wants a closed source appliance because of the lower effort required toconfigure and maintain it. Nevertheless, for those who are willing to make the effort andfor those who are skilled, an open source firewall can fit the bill.Maintaining the underlying platform requires time. The more complex the underlyingplatform, the more time required. This is where closed source appliances such as PIX,NetScreen, and Linksys have an advantage. They provide a device that, althoughconfigured and maintained by the user, eliminates many of the variables inherent in moregeneral operating systems. This makes it much easier for a less-experienced user to beable to maintain the firewall.