>We're aware of how insecure UNIX is natively. The point here is that a
>firewall should be as close to 100% secure as possible out-of-the-box,
>removing the possibility that human intervention (or human NON-intervention,
>for that matter) doesn't create or allow ANY holes for ANY length of time.
>A couple of UNIX-based firewall vendors DO address the issue of the
>non-secure kernel. If kernel insecurity is addressed at the vendor level,
>(i.e. - the guys making the money) the argument about customer-level
>'professional' versus 'scanner' firewall users should be non-existent. I
>truly believe in the concept that, without a hardened kernel there is no way
>to guarantee a truly secure firewall.
I agree. Here are my new definitions, which may be of use to others:
A 'firewall' is a system that if configured correctly by professionals
(who have read all the manuals from cover to cover), and notwithstanding
hardware or software bugs or problems, protects your network.
A 'good firewall' is a system that protects your network.
It must have defense in depth, so that in the event of a failure (such
as after the discovery of new bugs), other mechanisms will protect you.
It must have a fail-safe design, for protection in the event of
hardware/software problems or administrative errors. Instead of letting
attackers in when there is a failure, fail-safe systems deny access to
both attackers and legitimate users. Failure to read the manual may result
in you not being able to turn a service on, instead of the service being
wide open without protection, and possibly making your internal network
If I wanted to protect my network, I would buy a 'good firewall'.
Since so many people wanted to talk about the necessity of completely
reading the manuals, I searched the FireWall-1 web site to see what
they had to say about it. The closest I could find was the "Ease of Use"
paragraph at http://www.checkpoint.com/brochure/page10.html
It starts with "FireWall-1 was designed to be easily installed,
configured and managed.", then talks about the easy to use GUI,
and the integrity checking that reduces the chance of operator error.
I couldn't find any mention of a manual.
Steve Kotsopoulos M.Eng. steve @
Systems Analyst Engineering Computing Facility, University of Toronto