Hi, note this cross-post to the FW-1 list.
-> From: "gill" <[EMAIL PROTECTED]> on 11/06/99 04:21
-> >
-> > It has been my experience that the majority [of FW1's] are installed
-> > on Solaris and NT boxes.
-> > [Snip]
-> >
-> > This reasoning does not lead me to believe that the NT OS is
-> an inherently
-> > secure one, but it does lead me to believe even more strongly
-> that the NT
-> > OS *can* be made secure and that the real important factor is
-> the installation
-> > and administration ... a point that has been made several
-> times through
-> > the course of this discussion.
-> >
->
-> Sorry for adding to the noise - I just can't stay quiet any more.
Understood ;)
-> Fact: FW1 on NT is simply not as good as FW1 on Solaris.
->
-> For instance, I've seen FW1's on NT go belly-up just
-> by sending them several large, illegally-fragmented pings.
-> As you may guess, this does not happen to FW1's running
-> on Solaris.
->
-> You simply cannot judge security from popularity.
-> Once you start looking at NT in detail, and I don't
-> mean looking at what services are running and what
-> Microsoft says that they do, you can clearly see the flaws.
->
Yes, in my original post and in nearly every response to it and once again I
would like to reiterate, quoting again what you have stated above:
-> You simply cannot judge security from popularity.
And anyone who thinks otherwise is a fool. Let's move on to the meat of the
discussion...
With my experience of FW-1, and with the comments of those on this and other
lists noted, FW-1 seems to be a well liked and popular software firewall
product. It consistently gets rave reviews in the trade rags (and yes, i
notice the full-page, full-color ads from CheckPoint in those same magazines
and think I understand something about how that all works), and consistently
is spoken well of by the security professionals and gurus that i know. So,
why then would a company that seems to have the fast track to market share
with a rock-solid product risk creating an insecure firewall by porting or
rebuilding it to run on NT 4.0? That doesn't make much sense if NT is
indeed as insecure and buggy as it is being called here. There is all kinds
of bad press will happen when FW-1 boxes built on NT start getting
comprimised that may or may not balance against the increased revenue from a
version of the product built to run on an increasingly popular NOS.
[snip]
->
-> Actually, my personal opinion is that the *best* foundation
-> for a firewall is a "clean slate". That is, run the firewall
-> on its OWN miniature operating system, and start with a clean
-> IP stack that is designed to do only two things : forward and
-> filter packets.
-> Doing that, you don't need to start patching up the underlying
-> operating system and IP stack with its complex and therefore
-> inherently insecure design. Operating systems need to be able
-> to do LOTS of things. Firewalls don't.
->
-> 'nuff rambling.
Not at all, thanks for offering your views (and not blindly throwing your
feces about the room). I am interested in what your favorite(s) would be.
--James
=====================================
James Gill * http://www.topsecret.net
=====================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
