At 04:22 PM 11/22/95 -0800, you wrote:
>> ... Putting
>> a secure application on top of an insecure O/S leaves you insecure.
>This is correct. But I think it's important to understand what "on top"
>means. As I understand it, when Firewall-1 is installed on a Solaris
>machine, the filtering code goes between the driver and the rest of the
>OS. So who cares if the OS is "insecure" when the OS won't see any
>packets it's not supposed to based on the filters that are defined.
>In this case FW-1 is not really installed "on top" of the OS but
>"inside" (or underneath?); a subtle but important distinction.
>> Fortified Networks Inc. - Management & Information Security Consulting
>> Phone: (317) 573-0800 - http://www.fortified.com/fortified
Well, not quite that simple, Frank. A non-hardened (i.e., off-the-shelf) is
itself harder to crack. In theory at least, a Bad Guy could get into the OS
itself and change the way packet filtering is handled. In other words, the
risks are not limited to those things which the firewall is attempting to
Doug Kaye <dkaye @
com> Rational Data Systems, Novato, CA
Tel:415-382-8400 FAX:415-382-8441 http://www.rds.com