mouss,
At 07:07 PM 12/4/2000 +0100, mouss wrote:
>At 20:09 03/12/00 -0500, Brian Ford wrote:
>
>>Thanks for the humor Kriss.
>>
>>I think the point that Kriss has missed is the integrity of the operating system
>that is running on the "standard ole' Intel machine". Purpose built firewall
>appliances, like the Cisco PIX run a proprietary operating system. That means that
>it is a couple of degrees harder for all those script kiddies out there to find and
>exploit a vulnerability in these firewall appliances.
>
>possible, but if you rely on that, you're relying on security by obscurity.
I agree what I wrote could be taken that way, but that was not my intent. Using a
proprietary OS. and controlling the development of that solution allows us to craft
our response to various probes and conditions.
>Also, there are not thousands of OSes. the pix is probably a derivative of
>BSD or the like. so, assuming that it is very different from knwon OSes is
>probably wrong.
>
>>So, if you want to buy and configure a software firewall machine yourself; or even
>avail yourself of the services of an integration vendor, you still need to be
>concerned with hardening and maintaining the underlying operating system and all that
>goes along with that like looking at device drivers, etc... (as well as the software
>product).
>
>There is no such thing as hardening an OS, apart from those marketing claims by
>fw vendors. generally, hardening the OS means recompiling after disabling unneded
>things suc as NFS, exotic drivers, ... the guys don't rewrite the code. If they ever
>do,
>then they lose the advantage of maturity.
I totally agree when you are talking about deploying a product on a generic OS.
>just see MS: a huge company, with huge
>resources, with smart developpers, ... they tried to rewrite the inet code, they
>succeeded,
>but how many bugs? see Sun: they abandoned the BSD code of SunOS, fo SYSV stuff,
>claiming it was for modularity, modenity, ..., but the only benefit was new bugs.
>modernity
>is the strict opposite of maturity, when it comes to softwrae dev, unless people do
>the right
>things to get the right job done right, but only very few companies do really
>bother...
>
>Brian,
>Cisco is a great company and sells good products, but defending a good cause with bad
>arguments is not a good idea.
Point taken. I don't intend to always defend. Only participate.
>Regards,
>mouss
Best Regards,
Brian
Brian Ford
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
