On Thu, 3 Jun 1999, Jen wrote:
> True. Also, if you only have one Unix expert and the rest of your folks
> are NT people without a clue about Unix, you may still consider an NT
> firewall. Otherwise your Unix person becomes the single point of
> failure on the firewall. In other words, think about what happens if
> they quit on bad terms and you suspect they're a security risk. You've
If you haven't done the correct external auditing that's true of any
box, because they could trojan frotz.dll and you'd never know it, or
add a NETBUEI shim to the network driver or whatever. If you can't verify the
installation of the OS by checksum independent of the primary administrator it
doesn't matter what OS you're using, worrying about it in those terms doesn't
provide much value.
> got a problem 'cause they know a lot more about breaking into that box
> than the rest of your staff does about configuring it.
It's my experience that knowing how to break into systems is its own
skillset. People who can do it in general don't really care as much
about the OS than they do about how well the system was set up. External
*real* audits are a way to get a level of assurance from that.
The counter argument to yours would be that the number of administrators
now capable of compromising the firewall has gone up exponentially.
Every trust/assurance choice has tradeoffs.
Consider the case where the box has been correctly configured, verified
and set up correctly. Now you have a situation where in your example,
nobody is allowed to touch the box and it contues to function or it's
given to someone who may not have enough of a clue and they proceede to
mess it up.
Both arguments are fairly specious. While some people tend to vent at
the exit stage, it's only when you don't handle that right, and it's done
quickly enough that things are repairable in most cases that I've seen.
The real problem in your scenerio - and the one that merits a lot of
attention is having an administrator who you don't have trust in or who
doesn't have the commensurate level of professionalism.
It'd be pretty silly to trojan a firewall though. It's *much* easier to
trojan a couple dozen clients or internal servers where software audits don't
tend to be performed and users tend to install their own software. "The
browser is in the OS" has to be one of the most boneheaded "features" from
an Internet security standpoint. A copy of something like Sourcer and 15
minutes and that's all she wrote.
I have a question though -
Why are all of you hiring "NT people" or "Unix people" instead of
"computer people" to do core infrastructure and security work?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
