Firewalls: Re: Source Code

Firewalls
(May 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Source Code
From:	Phil Trubey <phil @ netpart . com>
Organization:	NetPartners, Newport Beach, CA
Date:	Thu, 4 May 1995 08:30:20 -0700
To:	padgett @ tccslr . dnet . mmc . COM
Cc:	firewalls @ greatcircle . com
In-reply-to:	<9505011859 . AA04955 @ uvs1 . orl . mmc . com>

In article <9505011859 .
 AA04955 @
 uvs1 .
 orl .
 mmc .
 com> you write:
>Frank rites:
>>Even though we include source code with our distribution, I would not suggest
>>that anyone make changes.   It gets real hard to try to support a product
>>and changes as well.  I can not guarantee that any changes that are
>>made will work in the next version.
>
>This is the best choice IMNSHO. The code is there if necessary (and often is,
>cannot count the times I have had to make a vendor-suggested patch because the 
>vendor could not duplicate the problem on their equipment), and available
>for examination (when I have made trouble calls, this has often enabled me
>to direct the vendor's attention to the specific module giving trouble.

There are other ways of providing the same functionality - BorderWare has a
user-controllable (ie. you can turn on and off this feature via the console,
by default it is off) back door that allows the developers to effectively 
telnet into the firewall (which can be initiated only via a certain IP
address, and only using strong authentication) over the net and see what's
wrong with a firewall.  Patches can be downloaded from the net (patches
are cryptographically checksummed, of course) by end users and a console
menu selection is used to apply them (the patch update code brings the 
machine down to a single user, non-network listening mode, applies the
patches and reboots).

If you need to debug a commercial program on your own, the vendor
obviously has a problem with supporting their installed base.

I realize that trusting a vendor to have good support policies is always
an act of faith, but BorderWare (and other firewall vendors, I might add)
have an open user mailing list that users can gripe about bad support to.  
This provides a tight feedback loop since a lot of prospective customers 
look at this list...

>The point is that in a dynamic environment a customer may not be able to wait
>for the next version and at the same time, the vendor may not have the
>available resources (equipment and manpower) to be able to recreate it.

And with the above described setup, the software manufacturer can debug
your particular dynamic set up ("Did you know you had a mail routing loop?")
and create patches that are installable and downloaded by everyone
which keeps everyone running the same versions.


-- 
Phil Trubey                 | 
NetPartners                 | Providing Internet products and services. 
E-mail: phil @
 netpart .
 com    |   Home Page: http://www.netpart.com/
Phone:  714-759-1641        |

Follow-Ups:

Re: Source Code
From: Howard Berkowitz <hcb @ clark . net>

References:

Source Code
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)

Indexed By Date	Previous:	Re: PC site security From: "S. Alexander Jacobson" <alex @ virtual . office . com>
Indexed By Date	Next:	Re: repository of Security policies - CORRECTION From: marchany @ vtserf . cc . vt . edu
Indexed By Thread	Previous:	Source Code From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Next:	Re: Source Code From: Howard Berkowitz <hcb @ clark . net>