Why are hardware security features preferred over software security features?
A.
They lock in a particular implementation.
Enforce security policy.
B.
They have a lower meantime to failure.
Protect data confidentiality.
C.
Firmware has fever software bugs.
Protect against protocol redirects.
D.
They permit higher performance.
MTTF is typical the time to failure. “MTFF is the expected typical functional lifetime of the device
given a specific operating environment” (- Ed Tittle CISSP Study Guide (sybex) pg 657). This leads me
to think that this question says hardware has a SHORTER lifespan then software. Thus I am going to
have to go with D (higher performance). This can be because of ASICs. As always uses your best
judgment, knowledge and experience on this question. Below are some points of view. Few things to
consider when deploying software based firewall: Patching OS or firewall software could bring down
firewall or open additional holes OS Expertise vs. firewall expertise (you may need two
administrators). Support contract (One for hardware, one for OS, one for firewall), who do you call?
Administration (One for OS and one for firewall). If your not an expert in both then forget it. Highavailability (Stateful failover) (usually requires additional software and costs a lot of money). As a
result it adds to support costs. Is software firewalls a bad idea it depends. Every situation is different.
-Bob http://www.securityfocus.com/archive/105/322401/2003-05-22/2003-05-28/2 A software
firewall application is designed to be installed onto an existing operating system running on generic
server or desktop hardware. The application may or may not ‘harden’ the underlying operating
system by replacing core components. Typical host operating systems include Windows NT, 2000
server or Solaris. Software firewall applications all suffer from the following key disadvantages: They
run on a generic operating system that may or may not be hardened by the Firewall installation
itself. A generic operating system is non-specialized and more complex than is necessary to operate
the firewall. This leads to reliability problems and hacking opportunities were
peripheral/unnecessary services are kept running. Generic operating systems have their own CPU
and memory overheads making software based firewalls slower than their dedicated hardware
counterparts. If the software firewalls uses PC hardware as the host platform, then there may be
additional reliability problems with the hardware itself. Sub-optimal performance of generic
hardware also affects software applications bundled with their own operating systems. There is no
physical or topological separation of the firewalling activity. A dedicated hardware firewall is a
software firewall application and operating system running on dedicated hardware. This means the
hardware used is optimized for the task, perhaps including digital signal processors (DSPs) and
several network interfaces. There may also be special hardware used to accelerate the
encryption/decryption of VPN data. It may be rack mounted for easy installation into a comms’
cabinet. We recommend dedicated hardware firewalls as they offer several key advantages over
software applications: Dedicated hardware is typically more reliable. Hardware firewalls are simpler,
hence more secure. Hardware firewalls are more efficient and offer superior performance, especially
in support of VPNs. The firewalling activity is physically and topologically distinct.
http://www.zensecurity.co.uk/default.asp?URL=hardware%20software%20firewall
QUESTION 913
Firewalls can be used to
Enforce Secure Network Interface addressing.
D.
They permit higher performance.
MTTF is typical the time to failure. “MTFF is the expected typical functional lifetime of the device
given a specific operating environment” (- Ed Tittle CISSP Study Guide (sybex) pg 657). This leads me
to think that this question says hardware has a SHORTER lifespan then software. Thus I am going to
have to go with D (higher performance). This can be because of ASICs. As always uses your best
judgment, knowledge and experience on this question. Below are some points of view. Few things to
consider when deploying software based firewall: Patching OS or firewall software could bring down
firewall or open additional holes OS Expertise vs. firewall expertise (you may need two
administrators). Support contract (One for hardware, one for OS, one for firewall), who do you call?
Administration (One for OS and one for firewall). If your not an expert in both then forget it. Highavailability (Stateful failover) (usually requires additional software and costs a lot of money). As a
result it adds to support costs. Is software firewalls a bad idea it depends. Every situation is different.
-Bob http://www.securityfocus.com/archive/105/322401/2003-05-22/2003-05-28/2 A software
firewall application is designed to be installed onto an existing operating system running on generic
server or desktop hardware. The application may or may not ‘harden’ the underlying operating
system by replacing core components. Typical host operating systems include Windows NT, 2000
server or Solaris. Software firewall applications all suffer from the following key disadvantages: They
run on a generic operating system that may or may not be hardened by the Firewall installation
itself. A generic operating system is non-specialized and more complex than is necessary to operate
the firewall. This leads to reliability problems and hacking opportunities were
peripheral/unnecessary services are kept running. Generic operating systems have their own CPU
and memory overheads making software based firewalls slower than their dedicated hardware
counterparts. If the software firewalls uses PC hardware as the host platform, then there may be
additional reliability problems with the hardware itself. Sub-optimal performance of generic
hardware also affects software applications bundled with their own operating systems. There is no
physical or topological separation of the firewalling activity. A dedicated hardware firewall is a
software firewall application and operating system running on dedicated hardware. This means the
hardware used is optimized for the task, perhaps including digital signal processors (DSPs) and
several network interfaces. There may also be special hardware used to accelerate the
encryption/decryption of VPN data. It may be rack mounted for easy installation into a comms’
cabinet. We recommend dedicated hardware firewalls as they offer several key advantages over
software applications: Dedicated hardware is typically more reliable. Hardware firewalls are simpler,
hence more secure. Hardware firewalls are more efficient and offer superior performance, especially
in support of VPNs. The firewalling activity is physically and topologically distinct.
http://www.zensecurity.co.uk/default.asp?URL=hardware%20software%20firewall
QUESTION 913
Firewalls can be used to
Enforce Secure Network Interface addressing.
A.
They lock in a particular implementation.
Enforce security policy.
B.
They have a lower meantime to failure.
Protect data confidentiality.
C.
Firmware has fever software bugs.
Protect against protocol redirects.
D.
They permit higher performance.
MTTF is typical the time to failure. “MTFF is the expected typical functional lifetime of the device
given a specific operating environment” (- Ed Tittle CISSP Study Guide (sybex) pg 657). This leads me
to think that this question says hardware has a SHORTER lifespan then software. Thus I am going to
have to go with D (higher performance). This can be because of ASICs. As always uses your best
judgment, knowledge and experience on this question. Below are some points of view. Few things to
consider when deploying software based firewall: Patching OS or firewall software could bring down
firewall or open additional holes OS Expertise vs. firewall expertise (you may need two
administrators). Support contract (One for hardware, one for OS, one for firewall), who do you call?
Administration (One for OS and one for firewall). If your not an expert in both then forget it. Highavailability (Stateful failover) (usually requires additional software and costs a lot of money). As a
result it adds to support costs. Is software firewalls a bad idea it depends. Every situation is different.
-Bob http://www.securityfocus.com/archive/105/322401/2003-05-22/2003-05-28/2 A software
firewall application is designed to be installed onto an existing operating system running on generic
server or desktop hardware. The application may or may not ‘harden’ the underlying operating
system by replacing core components. Typical host operating systems include Windows NT, 2000
server or Solaris. Software firewall applications all suffer from the following key disadvantages: They
run on a generic operating system that may or may not be hardened by the Firewall installation
itself. A generic operating system is non-specialized and more complex than is necessary to operate
the firewall. This leads to reliability problems and hacking opportunities were
peripheral/unnecessary services are kept running. Generic operating systems have their own CPU
and memory overheads making software based firewalls slower than their dedicated hardware
counterparts. If the software firewalls uses PC hardware as the host platform, then there may be
additional reliability problems with the hardware itself. Sub-optimal performance of generic
hardware also affects software applications bundled with their own operating systems. There is no
physical or topological separation of the firewalling activity. A dedicated hardware firewall is a
software firewall application and operating system running on dedicated hardware. This means the
hardware used is optimized for the task, perhaps including digital signal processors (DSPs) and
several network interfaces. There may also be special hardware used to accelerate the
encryption/decryption of VPN data. It may be rack mounted for easy installation into a comms’
cabinet. We recommend dedicated hardware firewalls as they offer several key advantages over
software applications: Dedicated hardware is typically more reliable. Hardware firewalls are simpler,
hence more secure. Hardware firewalls are more efficient and offer superior performance, especially
in support of VPNs. The firewalling activity is physically and topologically distinct.
http://www.zensecurity.co.uk/default.asp?URL=hardware%20software%20firewall
QUESTION 913
Firewalls can be used to
Enforce Secure Network Interface addressing.
Explanation:
This is a sort of iffy question. Hardware allows faster performance then software and does not need
to utilize an underlying OS to make the security software operate. (An example is PIX firewall vs
checkpoint). The meantime to failure answer to me is ok but the hardware that the software security
also has a MTFF. A few people looked over this question and had no problem with the answer of B
(meantime to failure question) but as I looked into it I have pickedA firewall is a device that supports and enforces the company’s network security policy. – Shon Harris
All-in-one CISSP Certification Guide pg 412