>> >Most Unix systems are unfortunately insecure out of the box.
>> >We should expect all good firewalls to be highly secure out of the box.
>> I agree 100%. The true test of a firewall package is to see what it does
>> you DON't follow the vendor recommended procedures. How does it handle
>> user tricks? What state does it leave your network when something like that
>> happens? There's a gap between the people who really read the
instructions and those who
>> just scan the instructions. Unfortunately, I believe the scanners
>I'm sorry, I disagree 100%. There are dabblers, and there are professionals.
>Dabblers always just scan the instructions. Professionals do, too, but
>they know when they need to go back and read them. If you don't follow
>the recommended procedures, you assume some of the responsibility for the
>consequenses. Or would you rather all UNIX systems shipped with a random
>root password so you don't have to worry about forgetting to set one?
We're aware of how insecure UNIX is natively. The point here is that a
firewall should be as close to 100% secure as possible out-of-the-box,
removing the possibility that human intervention (or human NON-intervention,
for that matter) doesn't create or allow ANY holes for ANY length of time.
A couple of UNIX-based firewall vendors DO address the issue of the
non-secure kernel. If kernel insecurity is addressed at the vendor level,
(i.e. - the guys making the money) the argument about customer-level
'professional' versus 'scanner' firewall users should be non-existent. I
truly believe in the concept that, without a hardened kernel there is no way
to guarantee a truly secure firewall.