Brian Ford wrote:
> What about all the engineering (development and test) hours that go into
>development? Cost Of Goods Sold (or COGS) is only a portion of what goes into
>determining price. There are no open source components in there. It's all developed
>by a team of engineers at Cisco. The same holds true for other commercial products.
Sure, that's true. Of course, I've worked for Cisco, and I wasn't all
that impressed with every engineer I met, though there are certainly
diamonds in that rough. I like cisco products, but I don't buy Cisco's
every party line.
COGS is meaningless anyway. The price of an object is whatever the
market will bear. That's the end story, and that's why cisco gear is so
expensive.
> Don't get me wrong. I think open source tools are great. I think OpenBSD is great.
Good, me too.
> I totally disagree that holes in OpenBSD environment get fixed faster. In the open
>source environment you have many more developers, each with their own interpretation
>and capabilities for executing test requirements. I would wager that a few can
>expend the level of effort that goes into testing a commercial product (ours or any
>of the other large commercial players). Commercial developers do much more to
>mitigate risk, as we are able to better enforce development and test standards.
In a closed environment such as Cisco's (or nearly any other company,
mind you) where we are not able to see source, exploits frequently take
longer to be fixed because there is less pressure. Security through
obscurity is nonsense. Mind you, the PIX (and other cisco products) is
generally considered to be secure, but how many holes have there been
which may or may not have been exploited at least once before they were
fixed? Not every released version of the PIX software actually worked
properly (I had severe problems with TCP connections being aborted
without warning or reason with 4.4(7) before I upgraded to a 5.x version
of the PIX OS) so I am extremely skeptical about a group of people who
release a buggy product as release being able to produce a 100% secure
internet appliance.
>> So if you're willing to spend the time and do the homework, then perhaps you would
>actually be better-protected if you used OpenBSD and ipfilter than if you used a PIX.
>It would just be a whole lot more work and probably involve more downtime.
>
> Not to mention the cost of finding and retaining the people needed to support such
>an environment. We have the luxury of communicating with many smart people in this
>forum. But you have to agree taht there are not enough people available in the
>market with the skills needed to implement and maintain the types of solutions you
>are talking about.
How many do you need? There's not a lot of them out there, but you only
need to find one of them. In addition, there's LOTS of people capable of
running openbsd -- That's anyone with a smidgen of unix knowledge.
Assuming they know their buisness (security) then they can slap
something like that together, disable everything that doesn't need to be
running on the box, and watch the bug lists. You don't get out of that
kind of responsibility by installing a PIX, regardless.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
