> Paul D. Robertson <proberts @
clark .
net> wrote:
> > > I would also say stay away from NT firewalls because the NT TCP/IP
> > > stack is not as robust as Unix in a high volume environment.
> >
> > On what facts do you base this?
>
> It still doesn't forward packets back out the same interface they arrive
on
> in some instances.
Yeah, which is the exact same problem we're having with Unix on a SMP box!
> Which means that they've been vulnerable to serious problems and attacks
> for several years now, and attack vectors are certainly a topic on
> firewalls, I'm not sure how 'people running buggy software' plays into
> that though, at the operating system level or not.
But then why blame the operating system and "bad" protocol stacks? It's
easy to knock things - but more difficult in finding solutions for
problems.
You know how the Inner Circle hacked into a very secure site? Simply walked
into an office where the terminal was still logged on and the user out on
lunch. It's great in getting all technical about protocol stacks, operating
systems etc., but I've not once seen anyone on this mail list talk about
(IMHO) the *real* security problem - users. You can have whatever security
software in place, but if a user writes down his password on a
stick-it-note and stuck it to his computer screen, we're still screwed when
it comes to security. And yeah, many of the users I know actually do it!
> Probably most of their interaction is MS to MS, which certainly makes it
> an invalid test case, especially for firewalls which must interact with
> the world at large.
The statement was that NT's TCP/IP implementation is bad. My response was
that I've never experienced it, except for the well documented problem with
OOB packets to certain TCP ports and problems with network services doing
stupid things like running pipes across TCP instead of sockets.
> Then you don't have a very good measure of 'high volume', as even very
> few Unix stacks fit my definition.
Hehehe. It like the definition of a VLD (very large database). At the one
conference this guru was asked to define a VLD. His reply - "twice the size
of the largest database in your current environment".
> Which is the point of Firewalls, is it not?
I thought we're all stuck in some endless gosub routine... ;-)
> > NT has received a lot of flak, especially from the Unix lovers, but it
is
> > still a good operating system and one that is used (as with Unix)
> > throughout the world by many companies for running mission critical
> > applications.
>
> None of which is applicable to firewalls. When you get an uptime of 2+
> years on an NT box, come talk to me about mission critical 24x7 access.
Semantics. The "right" platform for a firewall may not be NT. But I know of
companies running 24x7 mission critical systems on NT. It seems to me that
too often sweeping statements are made about software, operating systems
etc. without "just the facts ma'm". ;-)
regards,
Billy
Follow-Ups:
|
|
