On Mon, 14 Jun 1999, John Wiltshire wrote:
> As for my rationale in blaming TCP/IP for physically secure networking:
> i) Security trust is established between machines on NT through the NTLM
> authentication process. Dockmaster provides a single host interface to the
> web which does not require trust of another machine in the network.
Trust in the DockmasterII scenerio is done at the application layer or
transport and application layers. We're talking about secure systems
here, your conjecture that NT isn't secure on a network because it's
TCP/IP's fault is where I have the problem.
> ii) Perhaps I was a bit premature? NetBeui was also enabled in the
> certified system and it is less secure than TCP/IP.
> iii) It was a good scapegoat. NTLM is suspect to man-in-the middle attacks
> in the setting up of trusts between domains and server/workstation within
> the domain - there was a discussion of this in NTBugtraq a little while ago.
> As I said before, Dockmaster is obviously not susceptible to this due to its
> failing to trust any other machine and having a different networking
> strategy.
It has to trust a client to serve them data. It has to protect data from
untrusted or less-trusted clients. Does NT not have to do the same things
on a network?
> Is this a cop-out on NT? I don't believe so. Your views may vary of
> course.
Obviously.
> Now, is it fair to compare Dockmaster to NT in a firewalling situation? How
> many clients would you in good conscience recommend Dockmaster as a firewall
> system? Probably a lot less than I'd recommend NT to...
I've recommended a product based on the same technology quite a few times
in very good conscience. But them I'm more interested in providing
security than in being "fair" to less secure solutions. It's fairly
obvious that you'd recommend NT to anyone, so I'm not sure that question
is valid.
> > > > "What slays me about Microsoft is how badly their software can coexist
> > > > with other products, *including their own*. A classic example is
> > > > their aforementioned Proxy Server. When you set up NT with the Option
> > > > Pack and Service Pack 3, it installs Internet Information Server 4.0
> > > > by default. Which is fine, except for one small detail: it *breaks*
> > > > Proxy Server. We had to back IIS 4.0 out of the system and install
> > > > IIS 3.0, which has no trouble working with Proxy Server. AFAIK, there
> > > > is still no fix to get Proxy Server working properly with IIS 4.0."
> > >
> > > Except this comment is just plain wrong. We have had Proxy server
> working
> > > with IIS4 just fine for over a year now.
> >
> > "If it works for some people and not others, it's a specious argument,
> > and has nothing to do with the order of fixes applied, or the vendor's
> > fix strategy?" Some people put a lot of work into trying to get some fix
> > and patch ordering mechanisms done because it wasn't designed into the
> > product or its upgrade mechanism. That's a failing, if you choose not to
> > recognise it as such or not.
>
> Hmm... I installed IIS4 and Proxy Server 2.0 as recommended in the
> installation document PROVIDED BY MICROSOFT. Read the release notes for
> Proxy Server (Q174922).
I don't and won't install MS Proxy Server anytime soon. My point was that
the poster of that piece of information had actually done so (correctly or
not) and therefore the experiences you denigrated as hearsay seem to have
been founded in fact
>
> > > Did you bother to check your facts before you went public, or just
> posted
> > > rhetoric that you heard about for your own unfounded prejudices?
> >
> > Tried to implement the software and failed, seems pretty founded to me.
> > Also seems indicitive of the "moving target" syndrome I listed in the
> > list that none of the NT advocates seems to want to talk about.
>
> I'm happy to talk about it.
>
> How is NT any more of a moving target than systems such as Solaris, Linux or
> HP/UX. All of these have been reviewed at least as many times as NT since
> 1993, Linux in fact has been reviewed many times more.
As I stated, Open Source is a different beast entirely, and the trust
model isn't relegated to a single type as it is in closed source products.
However, the point stands that you can stick with a vetted release and
patches and still field new systems using them. You can still purchase
Solaris 2.5 if you're standardized on that release.
> Microsoft is still rolling out service packs for NT 3.51 because it worked
> well and people still use it because it is not the "moving target" you are
> alluding to. In fact I would say the whole thing is a strawman argument.
You're about the only person I've ever heard espousing NT 3.51 as working
well.
>
> > > Yeah. Just like those Unix systems that passed with no apps. Get a
> > > freaking clue!!
> >
> > With the caveat that it's under evaluation (or was last time I looked -
> > I've not checked to see where it is in the cycle recently), and there's
> > been no FER yet, DG/UX at _network_ B2 with DOCKMASTER II includes an
> Apache
> > derrivative, Sendmail and Cybershield in the configuration. As a part of
> the
> > TCB, they carry the rating configured and in-use on the system. Now, I've
> not
> > looked at any of the CMW or other *nix validations, so I'll ask- are
> > *you* sure no applications were included in the TCB, or is this
> conjecture?
>
> For a start, it was ITSEC, not C2 that we were talking about. I'll happily
> say that particular NT systems being rated C2 means nothing at all except
> that it is a proof of concept. Now ITSEC is a vastly different question -
> it shows that a system can be made ITSEC compliant through following a set
> of installation guidelines.
I've already posted my comments on TCSEC vs ITSEC evaluations.
> ITSEC rates NT as an operating system, and as such does not include
> applications in the system. However, included in the installation
> instructions is "Install applications (such as Microsoft Office 97) as
> required." Seems to indicate some apps were included (though not as part of
> the TCB).
So, in other words, you've no basis for your statement "Just like those
Unix systems that passed with no apps?"
[snip]
> My point exactly. You claim to have such a good knowledge of systems and
> yet can't reliable install an NT system when plenty of other people in the
> world can (go over to NTBugtraq sometime and see for yourself).
As I stated, sometimes it's good, sometimes it's bad. Since MS Tech
support doesn't seem to be able to help in the instances it isn't other
than with a complete re-install, it isn't just me. FWIW, the NT Server on
my desktop has only died six times in the last 3 years. As far as
NTBugtraq goes, I've been on the list since it was started, and spent a
while on the phone with Russ he set up the site was coming up helping with
router screening.
> I'm not claiming my knowledge is a broad as yours, just my prejudice is
> somewhat less radical as yours. You say now that your points apply equally
Yep, I'm highly prejudiced against insecurity and lack of good security
design principles. Ask any security product vendor I've ever met with.
> to NT as to Unix systems and other OSes and yet you posted nothing like this
> in your original post. If you are as unbiased as you want to make out now
> then you should have said so in the list of points, rather than flaming NT
> specifically.
The question was specifically about NT, I addressed it. Funnily enough
that's generally what people expect.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
