At 10:50 AM 12/5/2000 -0800, Martin wrote:
>Brian Ford wrote:
><snip>
>>I totally disagree that holes in OpenBSD environment get fixed faster. In the open
>source environment you have many more developers, each with their own interpretation
>and capabilities for executing test requirements. I would wager that a few can
>expend the level of effort that goes into testing a commercial product (ours or any
>of the other large commercial players). Commercial developers do much more to
>mitigate risk, as we are able to better enforce development and test standards.
>
>In a closed environment such as Cisco's (or nearly any other company, mind you) where
>we are not able to see source, exploits frequently take longer to be fixed because
>there is less pressure.
I can't disagree more. Vendor reputation is on the line every day. You said you
worked for Cisco. I don't know when but I can tell you as long as I have been here
product teams have always made it a priority to correct bugs or to at least develop a
work around as quickly as possible.
>Security through obscurity is nonsense. Mind you, the PIX (and other cisco products)
>is generally considered to be secure, but how many holes have there been which may or
>may not have been exploited at least once before they were fixed? Not every released
>version of the PIX software actually worked properly (I had severe problems with TCP
>connections being aborted without warning or reason with 4.4(7) before I upgraded to
>a 5.x version of the PIX OS) so I am extremely skeptical about a group of people who
>release a buggy product as release being able to produce a 100% secure internet
>appliance.
I think we both know that there is no such thing as 100% secure (except Marcus Ranum's
infamous firewall).
>>>So if you're willing to spend the time and do the homework, then perhaps you would
>actually be better-protected if you used OpenBSD and ipfilter than if you used a PIX.
>It would just be a whole lot more work and probably involve more downtime.
>>Not to mention the cost of finding and retaining the people needed to support such
>an environment. We have the luxury of communicating with many smart people in this
>forum. But you have to agree taht there are not enough people available in the
>market with the skills needed to implement and maintain the types of solutions you
>are talking about.
>
>How many do you need? There's not a lot of them out there, but you only need to find
>one of them. In addition, there's LOTS of people capable of running openbsd -- That's
>anyone with a smidgen of unix knowledge. Assuming they know their buisness (security)
>then they can slap something like that together, disable everything that doesn't need
>to be running on the box, and watch the bug lists. You don't get out of that kind of
>responsibility by installing a PIX, regardless.
>
Brian Ford
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
