On Tue, 30 Jan 2001, [iso-8859-1] "SERCONI, Miguel Hern�ndez" wrote:
> Hello everyone. I�m more or less new in firewalls. Can anyone tell me why
> nobody in this list use Microsoft Proxy Server.
The original version of Proxy Server had some serious issues as a
firewall, and indeed even Microsoft didn't market it as a firewall.
Sweeping statements like "nobody" probably aren't appropriate, but
market-share wise MS Proxy Server certainly isn't significant at this
point, so you'd expect a low volume of people to be using it given (a) it
wasn't marketed as a firewall and (b) not many people chose to use it as
such.
> Where are the differences. Is there any good paper with a comparison of
The differences between Proxy Server and *what*? There are probably over
100 products on the market which wish to call themselves firewalls. My
employer does firewall certification, and at any given time is probably
examining between 60 and 80 different firewall products [1].
> them?. From a point of view of someone that don�t know anything about linux
> it seems to me as not secure because everyone knows the code and can change
> it.
Having the code available means also that many people can fix it.
However, there are things you seem to be missing in logic:
1. Having the OS code available doesn't necessarily equate to having the
firewall code availabe, unless you're comparing a proxy with the native
OS packet filtering, in which case you *really* need to go back and do
more research about firewall types.
2. Just because you've seen/changed the source code doesn't mean you can
get it loaded on an operating platform malicously. If that were the case,
we'd all be extra worried about Microsoft's licensing to universities of
source code and the thouands of ex-Microsoft employees.
One of the extra-nice things about source code availability is that if you
take enough time to actually build your firewall, you (or your vendor) can
rip out monsterous ammounts of code that have nothing to do at all with
firewalling. That should reduce the number of potentially buggy or
vulnerable lines of code. Firewalls are special purpose devices, and
basing them on general purpose operating systems brings a lot of
unnecessary baggage to the table.
I've used both commercial products and self-built firewalls over may
years. They both have their place and appropriate uses. The reason that
we don't have just one or two firewalls available in the marketplace is
that choosing a firewall isn't about popularity contests or even OS
religions, but about making an informed choice for a particular
environment, support structure, traffic load, availability scenerio, etc.
If you make a thourough analysis and MS Proxy fits your needs, then by all
means use it. Questioning why somone else made a different choice is like
questioning why everyone in your neighborhood isn't driving the same type
of car, using the same fabric for curtains, or wearing the same style and
color of clothing.
If you wish to *learn* about how Operating Systems and firewalls work,
then you're basicly stuck with an Open Source solution. There's probably
no way that you'll ever see how any proprietary system works. If you want
to be able to compare systems without working for the vendor directly,
then knowing how things works helps tremendously. If you just want to
install a firewall, then you're going to have to either get someone who
can evaluate your needs and choose correctly, believe what the vendor
tells you, look at 3rd party tests or certification/evaluations, or go
with blind luck.
Paul
[1] This isn't a commercial, if you want information ask for it off-list.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
