Tom Shinder of ISAServer.org takes an amusing shot at the myth in some circles that a “hardware” firewall or “firewall appliance” offers more security than a Microsoft ISA Server firewall.

I was drawn to a particular quote in his article about the relative security of ISA Server to other popular firewalls in the context of the number of reported security vulnerabilities for each product.

A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall.

There are a lot of firewall appliances out there so I didn’t do an exhaustive search of their stats on Secunia, but I did take a look at the stats for ISA Server, Cisco Pix, and OpenBSD as those are the three firewalls I am most familiar with in my professional life.

ISA Server

Cisco Pix

OpenBSD

I found those numbers to be pretty interesting. It is not unusual to have a customer request that a two-tiered firewall infrastructure be implemented on their environment. Often this means they request that some type of “appliance”, be that a Cisco Pix or some other third party box painted red and given a secure sounding name, be placed between the internet and the ISA Server that we are implementing for them. Sometimes this is based on the principle of defense in depth, whereas other times it is based on a false belief that a product from Microsoft couldn’t possibly be secure. Maybe if they saw the stats above they would think otherwise.

A second security hole in the OpenBSD kernel…. in the last 10 years.

Talk about a solid OS.

read more | digg story

I’m a big fan of OpenBSD.  I decided one day a few years ago to have a crack at this operating system that had such a reputation for security, since security is of much interest to me.  I printed out the installation guide from the website, dusted off an old P-90 with 32mb of RAM and 3 or 4 goes later had it up and running.

OpenBSD quickly replaced the IPCop system I had running at the time.  I made plenty of bungles in the early days and rebuilt it many times.  Eventually I upgraded to a Celeron 300mhz machine with 64mb RAM and it became even better.  Its still running on that same hardware over 2 years later and has only gone down when my house lost power, or more recently just last weekend when I recabled the power for that shelf.

The only thing that disappoints me about OpenBSD is that I currently don’t get to use it professionally.  I would love to deploy and manage it for customers but I just don’t see the opportunities out there at the moment.  Hopefully that will change soon.
If you don’t know much about OpenBSD there is a good article here that is worth reading.  Then head on over to OpenBSD.org and get started.