At 20:09 03/12/00 -0500, Brian Ford wrote:
>Thanks for the humor Kriss.
>
>I think the point that Kriss has missed is the integrity of the operating
>system that is running on the "standard ole' Intel machine". Purpose
>built firewall appliances, like the Cisco PIX run a proprietary operating
>system. That means that it is a couple of degrees harder for all those
>script kiddies out there to find and exploit a vulnerability in these
>firewall appliances.
possible, but if you rely on that, you're relying on security by obscurity.
Also, there are not thousands of OSes. the pix is probably a derivative of
BSD or the like. so, assuming that it is very different from knwon OSes is
probably wrong.
>So, if you want to buy and configure a software firewall machine yourself;
>or even avail yourself of the services of an integration vendor, you still
>need to be concerned with hardening and maintaining the underlying
>operating system and all that goes along with that like looking at device
>drivers, etc... (as well as the software product).
There is no such thing as hardening an OS, apart from those marketing claims by
fw vendors. generally, hardening the OS means recompiling after disabling
unneded
things suc as NFS, exotic drivers, ... the guys don't rewrite the code. If
they ever do,
then they lose the advantage of maturity. just see MS: a huge company, with
huge
resources, with smart developpers, ... they tried to rewrite the inet code,
they succeeded,
but how many bugs? see Sun: they abandoned the BSD code of SunOS, fo SYSV
stuff,
claiming it was for modularity, modenity, ..., but the only benefit was new
bugs. modernity
is the strict opposite of maturity, when it comes to softwrae dev, unless
people do the right
things to get the right job done right, but only very few companies do
really bother...
Brian,
Cisco is a great company and sells good products, but defending a good
cause with bad
arguments is not a good idea.
Regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
