I promise not to drag this thread out any longer than it absolutely has to,
but a couple of generalizations by John Betts need to be addressed.
"Not every person who puts NT boxes (or any other unix box for that
matter) on the Internet knows about things like disabling guest account,
setting permissions on shares correctly, etc."
This is unfortunately true, but I fail to see its relevance in this
discussion. Basically, you are saying that people don't know/aren't
interested in properly securing their boxes (any OS) despite putting them
in risky environments, which is one of the reasons this list exists, so we
all knew that one already. The basics, like disabling guest privileges,
setting permissions on shares correctly, etc. are just that, basics.
"My main point against NT firewalls is the following: _as a general rule_
people who want NT firewalls, want them because any tom, dick and harry can
get them going, without extensive knowledge of security and tcp/ip."
Funny, but isn't it true to say that anyone who goes out and buys any
firewall is doing so because they don't want (don't have the time) to have
to learn everything that the firewall vendor learned about security and
tcp/ip? Isn't the whole idea behind a purchased firewall that it should
make it easier to get them going rather than programming it all yourself?
A Borderware firewall gets plugged in, installed (which any tom, dick, or
harry could do), and is up and running, with all ports closed. A couple of
menu selections later and your site has HTTP, SMTP, FTP, NNTP access to the
Internet, securely. Any idiot could set up a Borderware firewall, with no
real understanding of either security or tcp/ip (no more than any other
machine where you have to configure a network stack). Same holds true for
many of the commercial Firewalls available today.
This is not an NT-thing!!! Personally, I believe that people who want to
buy an NT-based Firewall are simply trying to provide a consistent inter
face to their client environment. Probably the single most important reason
I can think of is integration with an existing user database, thereby
avoiding having to have multiple databases to administer. The old "single
sign-on" thing. Truth be told, getting an NT-based Firewall does not
translate to "single sign-on", there are far better methods (like ACE) to
achieve that goal. However, if you're environment doesn't include Unix
boxes or large servers (a.k.a. mainframes), an NT-based Firewall may make
administration considerably easier.
"I have no problem with firewalls that are so easy to administer,etc, BUT,
generally, the people who setup these easy-to-use firewalls, dont
know/think about things like disabling guest account (I know, lame
example), or setting permissions on shares (or disabling all shares, or
whatever), etc, and if the firewall software dosnt do this for them, then
their firewall host can be easilly compromised...."
I don't know of any NT-based Firewall product available today that does not
do the things you are talking about during its installation, and I've
looked at more than most. The statement would imply that you have seen an
NT-based Firewall that doesn't do this, and if so, which one, I want to
know? What you are implying is that the designers of *some* NT Firewall
products do not know about these basic security steps. I have not seen an
NT Firewall which can be installed *insecurely*.
Products like WinGate, or Catapult, are not Firewalls, but proxy servers,
and while their security is no less important than that of a firewall, they
are both designed to run with other applications on an NT-box (WinGate
wasn't specifically designed for NT, but will run on NT). As such, neither
impose a security model on the installer and instead leave it up to the
installer to decide what to do to secure the box properly. Both can be
installed *insecurely*, such that the box can be compromised.
"It takes time and knowledge (well, more like common sense) to make an NT
box secure(ish). We all know that a large majority of ppl who insist on NT
because of its ease of use, and requirement for little-to no knowledge of
system administration and security, dont have the time and knowledge to
secure their box."
Again, this generalization applies to all computers, period. I personally
don't think that there is a large majority of people who are insisting on
NT because of its ease of use, and requirement for little-to no knowledge
of system administration and security. If that was true, it wouldn't be so
difficult to find people who are good at NT. NT's administrative model is
no less complex than Novell's, or Banyan's, and in some cases it can be far
more complex (due to the lack of Directory Services). By default, both NT
and Novell are very wide open after an initial installation, so NT doesn't
simplify the security either.
I would counter your generalization with one of my own. A large majority of
people who are administering NT do have the ability to properly secure a
large majority of the security requirements of an NT environment. Its sad,
but true, that many companies do not give their administrative IS staff
enough time to properly configure that security or properly construct a
viable security policy, irregardless of the OS involved.
"I hope that I did not offend or mislead anyone here."
Offend, definitely not. Mislead, you continue to do so...;-]
"if so, I'm sorry, and you are welcome to flame my
procmail^H^H^H^H^H^H^H^Hme ;-)"
Well, here goes...;-]
Cheers,
Russ
|
|
