On Sat, 29 May 1999, Chris Michael wrote:
> At 10:09 AM 5/28/99 , Larry Claman wrote:
> > I won't comment on this, other than
> >to say that many (most) security experts still distrust NT.
>
> And why is that, exactly? Is this distrust based on an analysis of how the
I'd started a long list but Paul Robertson beat me to most of it. While I
agree with Paul's post, he missed a few IMO.
Ninth - Reliability/maintainability:
A firewall is a 24x7 operation, rebooting everytime I bug fix the GUI, a
minor proxy, or other piece of code is not a 24x7 option. I've run 24x7
shops before (reboot every 6-18 months just 'cause, no kidding, been
there). I expect a Unix box to be rebooted periodically just like any
other. And due to the changing security picture, I expect that I'll have
a 'high' patch rate on a firewall compared to an internal only production
system that is tightly controlled. However, a reboot on practically every
patch is not acceptable. Additionally if I added a new feature I have to
reinstall the NT service packs, increasing the down time.
Tenth - there's always some OS code so the OS counts
The question was if all the OS code was replaced by the firewall vendor,
what's the problem. Implication, the OS is not involved in the firewall so
who cares. No vendor I know of on NT removes all the code from the adapter
upto the active firewall, most use at least the NDIS drivers from Redmond
(or the adapter vendor). So the question is moot (of course I could be
wrong, if you think I am, see the next point).
Eleventh - Reliability 2 (or why the OS counts anyway :-).
Any OS code above the 'firewall' on the same box that causes the box to
crash is a denial of service on the firewall. Consequently, a pretty blue
screen on the NT firewall due to a GUI error while looking at a log or
other user operation implies a firewall stability/usability/reliability
problem. I've NEVER panic'ed a UNIX box while using cat, tail, head, grep,
more, or vi via telnet or the console. I have been blue screen of death'ed
before, usually at a VERY inopportune time.
All that not withstanding, it IS possible (or even reasonable :) to use an
NT based firewall. A defense in depth situation where the traffic is all
outbound and using internal addressing at a site that has nothing to
protect (no web servers, mailers, etc. Think branch location). You trust
the staff, configuration changes are almost non existant, and the admin is
a point and shoot type of guy. Basically you need a screening router with
NAT but you put in an NT firewall because it is easier to point and shoot
for the admin :-).
Another more likely situation may be one where the entire staff is NT
oriented. You have a really good NT guy. No one can spell Unix and you
aren't allowed to hire. Do you put in a box that has better security
potential (Unix) and potentially misconfigure/manage it OR put in a box
that has potentially lower security that you can configure and manage?
I.E. just because a top of the line Unix guy on a Unix box has a 'probably'
more secure firewall with better uptime than the top of the line NT guy
with the NT firewall, does NOT imply that a Unix novice with a Unix
firewall is more secure than a top of the line NT guy with an NT firewall.
You still have the eggs in one basket problem, but a single well watched
basket is sometimes better than two baskets no one is watching.
Dana Nowell Home: mailto:[EMAIL PROTECTED]
Cornerstone Software Inc. Work: mailto:[EMAIL PROTECTED]
MIME attachments preferred, BINHEX and uuencoded acceptable.
The opinions above are free, remember you get what you pay for.
The company doesn't speak for me and I don't speak for them.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
