Am not going to comment on your excellent posting except to reiterate
that "NT is shunted aside" (bypassed) "for critical firewall operations."
The fact that the Kernel cannot be stripped down like Unix is not a positive
factor in my mind.
Further the fact that the source code is not available for review would
not bother me particularly since is from a major corporation except that I
(personally) do not *trust* MicroSoft to that extent.
- CHKDSK in DOS 5.0
- Dblespace/Smartdrv Interaction in Dos 6.0
- Information that was *wrong* released to AV developers fighting the "prank
macro" (Winword.concept) virus.
and that's just off the top of my head.
*In each case* dates in the application notes released indicated that M$
knew of the problem - often months before they came to light - but failed
to inform their customers *even when they started screaming*. Only after
the problem was traced to explicit code in a specific program would the
relevant application note be produced.
Additionally, my impression of the ANs has been that unless you already knew
what the problem was, the Note does not really make sense. Often it just
says what you can do without mentioning why you would want to do it.
OTOH, some of the things they dodo make me wonder if they really understand
their products. Take WD1215, the response to Word Macro viruses (or more
accurately, their resonse to *a* Word macro virus (are 10 or 12 now)).
Reading the README you come across a disclaimer that the mechanism is less
than effective when "drag and drop" is used. What it does not say is that
apparently ccMail uses this mechanism to open Word and so the SCAN macro
just informs you that you is been had (not necessarily always) if infected
E-Mail is passed by the mailer. What, pray tell, it the most common vector
for this kind of infection ?
Now while today, I do not know of any reason not to trust NT for firewalling
other than proven products exist which provide end-to-end responsibility
(good reason to buy a hardware/software turnkey product if you have the
funding). Buying hardware, loading an OS from a differnt vendor, and loading
firewall software from a third is just asking for massive finger pointing
in the event of a difuglety. Particulalry if one of the vendors is known to
do so. A lot.
ps ANFSCD: does anyone into vaccuum tube devices have a full spec sheet
on a European DK-92 tube (American equivalent said to be 1AC6).