Don Kelloway wrote:
>
> Sure, I think we can all agree that an "out-of-the-box" default NT
> installation is far from being considered secure.
This really comes down to what the firewall administrator is comfortable
with. IMO if you take an MCSE and hand them a Sun box, you are going to
end up with a far less secure platform then if they stick with NT.
What's going to happen when the very first security patch is released?
You might as well hand them a Vax. ;)
If you are fluent in Unix, stick with Unix. IF your strength is NT,
stick with that.
> On April 28th, 1999, the UK Government announced that Microsoft� Windows NT�
> Server and Workstation 4.0 had completed a successful evaluation under the
> ITSEC regime at the E3/F-C2 level. E3/F-C2 is widely acknowledged to be the
> highest ITSEC evaluation rating that can be achieved by a general-purpose
> operating system.
>
> For the rest, see http://www.microsoft.com/security/issues/e3fc2summary.asp
Humm. Quick query for anyone who is familiar with this report (available
at http://www.itsec.gov.uk/ )
One of the sections reads:
"f. Domain based security functionality is included but only up to the
transport driver
interface (using the ISO 7 layer model); underlying network protocols
and
architecture are excluded for source code level logical analysis but
they are included
in the evaluated configuration and penetration testing. Windows NT
native security
protocols such as Windows NT Challenge/response operate at a layer above
the
typical network protocols such as TCP/IP and are therefore included."
Do I read this to mean that only ISO 7 and above was actually
scrutinized and layers below where simply configured and possibly hit
with a couple of scripted tests? I ask because if the machine is doing
duty as a firewall, its really the underlying stack that you would be
most interested in. I'm not sure from this statement how much actual
testing was done on the TCP/IP stack.
> Although NT4 is in the process of achieving C2 certification, here's a brief
> summary:
>
> On October 2nd, 1998, Microsoft completed a significant milestone in the
> evaluation of Microsoft� Windows NT� Server and Workstation 4.0 against the
> C2 requirements of the US Government's Trusted Computer System Evaluation
> Criteria (TCSEC). C2 is widely acknowledged to be the highest TCSEC
> evaluation rating that can be achieved by a general-purpose operating
> system.
>
> For the rest, see http://www.microsoft.com/security/issues/c2summary.asp
Hopefully they do better than they did with 3.51. To quote from:
http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html
"Because the evaluated configuration does not include a network
environment, both products (NT server and workstation) are considered
stand-alone workstations."
Kinda hard to build a firewall on a platform that does not include a
network environment. ;)
Cheers all,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
