I've spent a couple of mins trying to get the hang of what you've been chatting about (this is an oooold thread :P ).
To start with defending myself, I know nothing about volvos (but I do know some of their infrastructure :p) , and sadly not much about smaller motorcycles ;).

I have to agree with Arend on the term of the description for a hardware firewall - it's purpose built.

A sole firewall simply allows or drop/rejects packets at the specific OSI level (transport layer), SPI features where included in this segment. Most firewalls now tho got UTM features, pushing it up to the application level, making 'em aware of ie content, meaning they can identify the content type as well, and also granting logic for (N)IDS/(N)IDP. If you're talking with a sales person, they'd sell you a NG firewall, because it has added features when it comes to the UTM department, and is, well, usually also stacked with proxy features... Still, they are purpose built, dedicated boxes (some release it as vm's..) etc.

I've already been sniffing on this, but when it comes to 0-day stuff, it's either related to IDS/IPS features, or AV-feats in a UTM fw. This is the part that does the actual identification on what kind of traffic, may it be binaries that traverse through the network.

A ISA server for example is not purpose built, neither is a Linux system installation - since it's not "bare metal". Hardware firewalls, at least most of the more high end segment today comes with off-loading chips that accelerate traffic once it been identified. Giving them a great benefit over fw's where packets still have to be handled by the kernel/network stack.
Edit: Now, I know someone might argue that the ISA is purpose built, but since it's such a poor implementation, and not something you ever should put facing a WAN, I do wanna highlight that MS might wished it was, but I can't see how it ever could be..

A "NAT" box, well, now we've talking routing features. This is related to UTM fw's/NG fw's.

Here's the thing - a good device is a device that you fully understand and can manage/prevent with.
There is (expensive) stuff you can buy now that actually can act as a MiTM device and run all non identified binaries etc before they hit your org (or rather, it can be run at the same time as it's "original", giving the sysadmin a PoC of the effects of it, if it's deemed as possible malware/etc). And it gives you a full report of what it did ;).

Do remember, a "correct" segmented and filtered LAN wins over the best and most powerful FW, just granting every direction and every source a full out communication with the world.


Not sure what I am expected to add to the discussion here :p. But nice to see so many of you alive! ;\)

Edited by Björn (2012-11-12 09:57 AM)
Edit Reason: Added some ISA nonsense.
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!