>Chris Brenton wrote:
>> This really comes down to what the firewall administrator is comfortable
>> with. IMO if you take an MCSE and hand them a Sun box, you are going to
>> end up with a far less secure platform then if they stick with NT.
This whole thread has been interesting and informative. However, I think
the focus on understanding the OS misses a major point. What a good
firewall or security administrator needs is a clear understanding of TCP/IP,
how it works, and what its security vulnerabilities are. Unfortunately,
the typical OS certification courses are all woefully lacking in giving a
good in depth understanding of the inner workings of TCP/IP. They all tend
to be too vendor specific.
I have worked with people who are quite good at configuring Sun boxes or
are quite good at configuring NT boxes. But if they have poor TCP/IP
skills, they are not particularly good at configuring a firewall system.
I have also found if you have good TCP/IP skills, an indepth understanding
of the underlying OS is less important when administering a firewall
system.
BTW, my own preference and recommendation for a firewall platform would
be a Unix based system. Why? Unix is simply more mature and stable
from a TCP/IP networking standpoint. Most major Unix vendors have had
TCP/IP networking code in their kernel since the early 1980s. A lot of
the kinks and bugs have been worked out of those systems. NTs
networking code is simply less mature. Will NT catch up? Maybe, but
by being a proprietary code base it will be a slower process.
One of the real advantages of an open code base (most Unix systems have
networking code based on the BSD kernel code whose source was openly
licensed) was a lot of researchers and system programmers used the
system and could apply bug fixes almost immediately since they had the
source code. Vendors like Sun and others picked up this code base for
their own use, but they had a headstart because of the work already
done to improve the networking code by the research and educational
community at the time.
The Linux code base shows the same phenomena at work. The Linux TCP/IP
implementation is a complete rewrite which had significant problems at
first. But the code rapidly matured because it is openly available.
Smoot Carl-Mitchell
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
