I disagree with this assessment. In my (admittedly quick and dirty) test today, I found these issues:
- Installation needs a monitor/keyboard, although initial boot messages are where they should be, i.e. ttya. This severely limits the usefulness of SP outside a lab environment. For example, SLAs that mandate remote rebuild in the case of catastrophic failure cannot be fulfilled using SP. - System cannot be restarted through a keypress on ttya once it has been halted. This is somewhat of a limitation for remote management, although it can be overcome by remote-powercycling after a halt. - sshd, as someone else noted, is 3.1p1, which is known to be vulnerable. - ssh and telnet are absent entirely. ssh is useful to connect to other systems from the firewall system (such as other managed devices "deeper in" the customer network); telnet can be useful to manage devices that are not ssh-capable, or for troubleshooting (e.g. "firewall blocks mail" .. try telnet mail-server 25 from firewall to see whether the problem is in.smtpd or the mail server itself). Lastly and mayhap most damning: - The complete absence of a mechanism for providing security fixes to SecurePlatform's OS in a timely fashion while retaining support from CP makes it untenable for any kind of deployment outside a lab environment. In conclusion, a "house-hardened" RH 7.3 deployment is better suited to the task at hand. It needs more resources up-front to generate an installation set that automatically deploys a hardened OS and firewall, but in return is managable, which SecurePlatform is not. Regards Shawn Behrens (My opinions on this are very much my own, not those of my employer) > -----Original Message----- > From: Boules Tadrous [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 21, 2002 12:06 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] Checkpoint/Nokia developing a Intel OS? > > > I am currently testing SecurePlatform, it seems very good. I > think they > did quite a good job in hardening and fitting it to NG. > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED]] On Behalf Of > Volker Tanger > Sent: Wednesday, November 20, 2002 1:04 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] Checkpoint/Nokia developing a Intel OS? > > Greetings! > > I checked the currentmost "SecurePlatform" few days ago - but > decided to > hold back until I got confirmation from upstream support. > > Matthias Leu wrote: > > > yes, just think about SecurePlatform. It's based on Red Hat > Linux for > > Intel - and Check Point did quite a good job in hardening > and fitting > > it to NG. > > > I fear I'll have to object strongly. The so-called "SecurePlatform" is > based on an old RH without security-updates or -fixes. For example > OpenSSHD is supplied in the older remote-rootable version 3.1 and the > kernel is an ancient version 2.4.9 considered beta. > > Updates or fixes are not available. In fact, installing or > updating any > packages will void CKP support (according to upstream). Consequently > support for RH's Up2Date was removed from the package. > > IMHO: No updates is *not* good. > Serious holes and no updates is bad. > Officially shipping and serious holes and no updates is ... > ...grossly negligent? > ...intent? > > > really disappointed > :-( > > Volker Tanger > IT-Security Consulting > > > PS: My personal opinion, not necessarily my employer's (official one). > We will keep on hardenening RH for CKP installation by ourselves, > though.... > > -- > discon gmbh > Wrangelstra�e 100 > D-10997 Berlin > > fon +49 30 6104-3307 > fax +49 30 6104-3461 > > [EMAIL PROTECTED] > http://www.discon.de/ > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.activis.com This annotation was added by the e-scan service. http://www.activis.com ---------------------------------------------------------------------------------- This message has been checked for all known viruses by e:)scan. For further information please contact [EMAIL PROTECTED] ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
