White man speak with forked tongue.
The virtue of the "dedicated OS" on the PIX is that it's small and was
purpose built to do firewalling stuff. Not that it's closed source. That bit
sucks.
It's long been acknowledged that security through obscurity is bunk. Script
kiddies don't write their own code. Period. Clueful people can run a
disassembler - some would probably even find that more interesting than just
trudging through source.
More to the point, most vulnerabilities now (and certainly the last couple
of big PIX ones) aren't found by people examining the code - they're found
by vuln-dev theorists who think about code behaviour at a meta-level or by
people just "screwing around" with unexpected inputs.
(Sorry to be so blunt with this one, Brian - you hit a sore spot. Have you
been in close contact with any marketers or salespeople lately? If so I
think there are post-exposure vaccines you can get...;)
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Brian Ford [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 4 December 2000 11:40
> To: [EMAIL PROTECTED]
> Subject: Re: Hardware Firewalls
>
>
>
> Thanks for the humor Kriss.
>
> I think the point that Kriss has missed is the integrity of
> the operating system that is running on the "standard ole'
> Intel machine". Purpose built firewall appliances, like the
> Cisco PIX run a proprietary operating system.
[...which provides security through obscurity. And, after all, you should
always trust someone else to review the code that's affecting your
organisational risk management decisions.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
