I have a few disagreements here - perhaps they should be termed
clarifications and I hope both parties in this debate benefit here....
I want to point out that each platform has some strengths - and the
arguements can be balanced, but I find that the arguements placed on
this list often tend to be tainted by a bias one way or the other,
despite "humbled opinions". Knowledge is the most important tool. Any
administrator who believes they can just plug in a firewall and not know
anything about TCP/IP or protocols and services is taking a big risk in
thinking they are secure. As many have said - naievity is your own worst
On Thu, 5 Dec 1996, Adrian Knight wrote:
> 2) We don't want to hire a rocket scientist to manage our firewall. A
> message earlier referred to firewalls being "necessarilly technical."
> That's bogus.
A good point here is that you should not have to be necessarily technical
to build a firewall, but you need to be necessarily technical to configure
it in a manner that is as secure as possible. That means knowing things
like why you don't want to allow access to X-windows, or r* services
(rlogin), or why udp has a high probability of being insecure. Or
most notably why random modems with auto-answer turned on are
necessarily bad things... These are not simple issues and the reasons are
not simple (although breaking in via these services usually is). The
technical issue is not necessarily on building it - its on knowing why you
are building it - what you are trying to protect yourself from.
> I think it's possible that a lot of people making money off
> of firewalls might want to keep them that way, but there are a lot of
> average people out there who want to AND CAN handle managing a firewall
> right along with the MANY other types of systems that are also included in
> our job responsibilities. In this age of computers, it is no longer valid
> to try to convince people that computers are just too complicated for the
> average person. I'm not a Microsoft Groupie or anything, but the reason
> their company is where they are today is that they realized that!
And people do it, even with UNIX. The key is that the tools need to be
clear enough for the user, and the user needs to be aware of them (and
they need to be documented). HP did a good job of this with SAM. Solaris
started doing this with AdminSuite.
I have users with antiquated SCO UNIX boxes who think its the cats meow
but still have a command line interface. I have other customers who have
a spanking new Solaris box and are scared of it even though you can even
format your disk drives from a GUI and manage users and groups as well.
Its all in what you know. Most of my belief in selling systems to
customers follows your comments about making a system simple. It should
be easy to use and simple. It should be reliable and well tested. It
should be walk-up-and-do-it-yourself simple (although I wouldn't trust
anyone to do it...see above about necessary knowledge). UNIX can be and
often is that. But unfortunately Microsoft has been trying to snow the
public for too long.
> Because our firewall is on an NT platform and has a good GUI, I can be
> gone for a couple of weeks and even my boss, a manager, can sit down and
> make changes to the firewall comfortably. Several other people in the
> computing department with the passowrd could do the same if they had to.
> After two years, nobody else could sit down to my Solaris box and do
> anything except manage to shut things down.
Training, training, training. You think your manager or boss understands
why you don't let things like telnet incoming or file shares going out on
the Internet? If he does, then he can touch it. If he doesn't then I
wouldn't do it. Just because the interface is easy doesn't mean anyone
can do it right.
> 3) At the time of my research a year ago, most mainstream firewalls ran
> on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an
> educational site with good discounts, a platform like that ran around
Try list of $7995 (street price $$6500?? - educational for far,far less)
for an UltraSPARC 1 Model 140 32mb, 2.1gb....or maybe a PC. (Not
necessarily NT mind you!! Why not Linux or Solaris?)
>We put our firewall on a well-endowed NT PC for $5,000.
My last one cost $4,500 on a SPARC and the software was $4,995
> Hardware and software maintenance is also much cheaper
Not last time I looked for service contracts that gave me free updates of
the OS and all patches shipped to my door, or unlimited phone support on
an instant connection....
> There are many other reasons that I chose NT over Unix, but I'll leave it
NT has its strengths, but listening to the NT security lists as I have, I
am not happy with the security and stability. It scares me when the
system will take a dump under routing loads (or can't route if its 3.51).
Will NT get there? Good chance of it. Do many people feel comfortable
with it? Yes. Why? They have all used the interface in one form or
another in the past - and think the interface is the whole story. And NT
is much cleaner and free of GPFs than Windows 3.1x But that is short of
what UNIX has been doing for years. I think the two worlds are colliding,
but have not overlapped. Just be careful to correctly judge your
adversary (sp?) on the truth - it makes your disagreements much more
truthful. You have good points - UNIX vendors and users have not focused
on ease of use - thats not where they came from. UNIX came from the top
and is working its way down. Windows came from the desktop and is working
its way up. Each has its issues and now the users are invading each
The fireworks will be very amusing to say the least....
Daniel Blander =8^)
Sr. Systems Engineer Applied Computer Solutions
Phone: (714) 842.7800 Fax: (714) 842.8299
Email: Daniel .
The Official Applied Computer Solutions Home Page
and Tech Tip of the Week: