On Wed, 2 Jun 1999, Robert Aitchison wrote:
> I've been watching this thread for a while and have a different point to
> bring up.
>
> Any firewall is only as good as the person who configured it. As an
Ideally, that only has to be done once. Given that most administrators
*aren't* security experts, it's probably best done with help anyway. Our
NT "expert"'s workstation has been known to crash quite a bit on days the
rest of the staff is bored. NT has improved remarkably over the last
year, it's no longer boringly trivial to crash, but it was when NT
firewalls started selling in huge volume - bet there are still a lot that
are *way* vulnerable.
> example, I know quite a bit about NT (IMHO) and a little bit about UNIX. I
> can certianly install and configure a firewall on an NT system and I can
> probably install a firewall on a UNIX system, but I am 100% confident that
> the NT system will be more secure, stable, etc. because I know exactly what
More stable? Methinks not- the official security updates for NT tend to
have outflanked anything on a comparable Unix system where the services
have been shut off except perhaps Linux, where the stack is still young -
and that's probably a coin toss. Secure is arguable and depends a great deal
on a large number of things.
> to do to secure NT and exactly where and how to do it. I would even go so
> far as to take my NT firewall up against 90% of the UNIX firewalls out there
> in production.
We've got quite a few, and I'd take that bet on any of them. Even the
ones I've personally never touched.
> If a company has a lot of NT expertise and no UNIX expertise it is totally a
> better fit for them to deploy an NT based firewall, the system will have a
> hope in hell of being properly maintained and confogured than if you have NT
> guys trying to "figure out" the UNIX system as they go. This is one of the
I disagree. When it comes down to it, the commercial firewall packages
these days are GUI, and it really doesn't make a whole heck of a lot of
difference from the firewall package's configuration and auditing
perspective what OS it's on (especially if your policy allows remote
administration on the local network, but even from the console.) I'd rather
spend a day pre-configing a Unix box and a few minutes installing it and
its icons on the desktop.
Checking logs, changing rules, and most other common tasks aren't OS
specific, they're firewall specific.
Uptime on my primary box normally runs in the two+ year range. The
first year or so it was up we had to drop it to add another batch of
network interface cards. The next year we did preventative maintenance
because of a potential bad SCSI drive that fell in the batch number range
of some the vendor had excessive trouble with. After another 700+ days of
uptime one of the NICs failed and had to be replaced and some code needed
updating. We're around 2 1/2 - 3 years now, and it's time to replace the
beast - not that it couldn't go another 2-3 years- but the software
upgrades necessary (y2k OS issues) are a pain and the hardware/software is
ending its support lifespan. It's also time to replace it as a potential
single point of failure - not that it's been down for more than about 8 hours
in the last six or so years. Other than adding some network card
addresses (via a menu-based interface), I can't remember the last time
something "Unix" had to be done on that box. Certainly nothing a
regularly scheduled audit wouldn't take care of.
> legitimate advantages to standardizing on NT, that you don't have to hire
> (or contract) out three or more entirely different skill sets.
And all your eggs are sitting in one basket. That's not too robust from
a security point-of-view. I wouldn't put a BSD-based IP stack bastion in
with BSD-based servers, but with NT you don't have the option of installing a
different flavor to ensure that one bug doesn't kill everything. Your
level of assurance in NT is obviously higher than mine, or your design
principles aren't the same.
It's shouting into the wind of popular opinion though. For quite a while we
said the same thing about FW-1. None of the folks who chose it still don't
want to admit that having a firewall that passed RIP, DNS, ICMP, etc. without
*any* checking or blocking was a bad thing to field at the point in its
lifecycle that they did. I'd rather not gamble any more than I have to.
Your paranoia may vary.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
