As someone mentioned earlier, you can't pare down NT. With Solaris and
other Unix or Unix-like OSes, you can pare stuff down to just the core
of what you need. With NT, you get a lot of stuff. And new issues are
discovered all the time. So Microsoft might be fixing the issues
quickly, but if a hacker discovers an exploit before they do, well,
you're SOL.
With a pared down OS, you may also have issues, but there's a lot less
code to worry about.
Jen
"Rouland, Chris (ISSAtlanta)" wrote:
>
> Kenneth,
>
> The issues you are referring to are not platform specific, but are a
> function of your implementation. I will be the first to acknowledge that
> MSFT security policy and quick fix engineering was inadequate as of '97.
> However, things in Redmond have changed significantly over the last two
> years. The MSFT security team has done an excellent job in adapting to this
> dynamic space. The issues that you have in deploying NT securely IMO are
> not a function of the technology, but a function of expertise. Do you think
> a Solaris expert could effectively deploy an NT solution? Conversely, I
> wouldn't expect an NT expert to deploy a Solaris firewall appropriately
> (unless you are fortunate enough to acquire a bi-lingual SA). Point being,
> the technology is not as relevant as the resources applied to it.
>
> --
> Christopher Rouland
> Director X-Force
> Internet Security Systems, Inc.
> http://www.iss.net/xforce
> (678)443 6000
>
> -----Original Message-----
> From: Ng, Kenneth [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 02, 1999 1:31 PM
> To: 'Brian Steele'; [EMAIL PROTECTED]
> Subject: RE: Why not NT?
>
> We have a couple of NT firewalls (Raptor to be precise) and they are ok as
> long as everything works. The trouble is, quite often things don't, and the
> firewall is always the first component to be blamed. With the solaris units
> its easy to diagnose: srl (a sort of brain damaged ssh) to the box, and you
> have full Unix diagnostics to do things like snoop, ping, traceroute, check
> the arp cache, etc, etc, etc. In almost every case, the firewall was not
> the problem, but we are guilty until proven innocent. On NT, well, I'm
> reminded of the old Texas Instruments single computer error message: "can't
> do that".
>
> As far as security goes, Microsoft as an extremely poor record for security
> and for platform stability. One of the big things in security is how often
> things are compromised and how fast problems are fixed. NT gets compromised
> regularily. And an annoying percentage of the time when a new exploit tool
> comes out, Microsoft's response is "this is not a new vunerability". That's
> true, its not, but you still have not fixed the old one. And, the number of
> people using that vunerability goes from a few hundred people with
> specialized programs to a million script kiddies. And a million script
> kiddies is a fine example of decentralized parrallel processing.
>
> For right now, we are only buying Solaris Raptor firewalls, the one NT box
> has been phased out. Sure in a few months there will be that new NT product
> or service pack that promises to fix everything in the world and be the best
> thing since sliced bread. But because I've been burned by NT several times
> before, my inclination is to stay away.
>
> > -----Original Message-----
> > From: Brian Steele [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, June 02, 1999 8:05 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Why not NT?
> >
> > What's so funny about this whole thread is these guys ranting and raving
> > about NT being not suitable for Firewall work, but many companies are
> > happily, and successfully, employing NT Firewalls anyway.
> >
> > Perhaps what they should really be asking is what do those companies know
> > about employing an NT-based system that they don't.
> >
> > Ignorance is not knowing.
> > Stupidity is the active pursuit of ignorance.
> >
> > Brian Steele
> >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> ****************************************************************************
> *
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed in
> the governing KPMG client engagement letter.
> ****************************************************************************
> *
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
