Smoot Carl-Mitchell wrote:
> >Chris Brenton wrote:
> >> This really comes down to what the firewall administrator is comfortable
> >> with. IMO if you take an MCSE and hand them a Sun box, you are going to
> >> end up with a far less secure platform then if they stick with NT.
>
> This whole thread has been interesting and informative. However, I think
> the focus on understanding the OS misses a major point. What a good
> firewall or security administrator needs is a clear understanding of TCP/IP,
> how it works, and what its security vulnerabilities are. Unfortunately,
> the typical OS certification courses are all woefully lacking in giving a
> good in depth understanding of the inner workings of TCP/IP. They all tend
> to be too vendor specific.
>
> I have worked with people who are quite good at configuring Sun boxes or
> are quite good at configuring NT boxes. But if they have poor TCP/IP
> skills, they are not particularly good at configuring a firewall system.
> I have also found if you have good TCP/IP skills, an indepth understanding
> of the underlying OS is less important when administering a firewall
> system.
>
> BTW, my own preference and recommendation for a firewall platform would
> be a Unix based system. Why? Unix is simply more mature and stable
> from a TCP/IP networking standpoint. Most major Unix vendors have had
> TCP/IP networking code in their kernel since the early 1980s. A lot of
> the kinks and bugs have been worked out of those systems. NTs
> networking code is simply less mature. Will NT catch up? Maybe, but
> by being a proprietary code base it will be a slower process.
>
> One of the real advantages of an open code base (most Unix systems have
> networking code based on the BSD kernel code whose source was openly
> licensed) was a lot of researchers and system programmers used the
> system and could apply bug fixes almost immediately since they had the
> source code. Vendors like Sun and others picked up this code base for
> their own use, but they had a headstart because of the work already
> done to improve the networking code by the research and educational
> community at the time.
>
> The Linux code base shows the same phenomena at work. The Linux TCP/IP
> implementation is a complete rewrite which had significant problems at
> first. But the code rapidly matured because it is openly available.
>
> Smoot Carl-Mitchell
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
This is indeed the key. Let me break it down into two parts:
1) *NIX is more mature than NT... doesn't mean NT is bad... it means it's not
as dependable.
2)*NIX uses a TCP/IP stack that (for the most part) is Open Source... Therefore
the code can be peer-reviewed. MS is propritary... we have no idea what is
going on there.
And one of my personal favorites...
3)MS has a horible history in the security realm. IF I saw them quickly and
publicly address security exploits for Five years or so... then I'd feel more
comfortable... BUt that hasn't happened.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
