Well, I don't like to get into NT vs. Unix stuff on this list, but I
thought of a few comments that might add to the discussion without
being religious about it.
*
If you strip down NT, replace its processes with trusted ones, and
build up a Firewall, I'd say you're nuts. That, IMO, is a complete
waste of your obvious intelligence, go do it on a Unix box since its
been done that way for years and there's lots of instructions on how to
do it.
*
If you are going to use NT as a Firewall platform, there should be only
one reason you would do that. You want to integrate your Firewall into
your existing NT environment (for any of a number of reasons). If
that's not your reasoning, then you shouldn't be considering NT as a
Firewall. I do not/will not believe any vendor's claim today that their
NT version (or their NT product if they don't have a Unix version) is
*more secure* than an existing Unix Firewall product. Its stupid to
believe that NT is inherently more secure than brand X Unix, it isn't.
It's inherently less secure because of all the bells and whistles that
are included and the openness with which things have been implemented.
Couple that with the legacy compatibility's it must support and you
have an extremely insecure base product.
*
And this is what you'd think to start with when building a Firewall???
I don't think so.
*
Now with all that said, that doesn't mean that NT shouldn't/couldn't be
secured and built to be a very robust and extremely secure Firewall
product, it can, and many vendors are out and about staking their
reputations on the fact that they can prove it. Venture Capitalists are
a strange lot at the best of times, but if you had a solid Unix product
and a good reputation, would you gamble all that against Microsoft's
penchant for making subtle unadvertised changes to your underlying
OS...without first having a solid understanding of what your dealing
with and ensuring you can protect yourself from the Borg? I don't think
so.
*
So I'd venture to suggest that the NT Firewalls that are available are
*as secure* as their Unixen brethren, *or*, they are less secure due to
NT features which the NT community want to have and have (or can)
accept as additional risks. Yes, this might be construed as a
bastardization of Firewalls (lowering the security threshold), but as
opposed to no Firewall at all its a significant increase in the overall
level of security on the Internet. (This isn't to say that a vendor's
NT implementation might not be more secure than a Unix version *when
protecting an NT environment*, I believe its definitely possible to
provide better NT security using some NT Firewalls than some Unix
Firewalls).
*
I'm seeing NT Firewalls deployed in sites where they want to minimize
the risk, not eliminate it. They don't want to devote the resources to
managing a complete Firewall, they want to re-use existing resources
(network admin resources) as Firewall resources. They don't want to
introduce a box, that to them, seems obscure and foreign, they'd rather
use something their more familiar with. They believe, typically
falsely, that an NT Firewall will somehow protect their use of NT
services and allow them to extend their NT models beyond their local
nets better than if they used a Unix Firewall. They often come from a
background that says "if it doesn't do it today, can it do it in the
next version?" and buy into the concept that if they build it,
Microsoft will come. A lot of people think that because NT is in the
headlines, this translates into better NT products vs. Unix (Unix is
old, NT is new, new must be better than old)...obvious delusions but
beliefs none-the-less.
*
But beyond this, I've met nobody who thinks that NT is more securable
than Unix. I've met nobody who believes they will be more secure behind
an NT Firewall rather than a Unix one. I've met nobody who believes
that their desktop insecurity will go away because of an NT Firewall.
*
So NT Firewalls have their place, and Unix Firewalls have theirs. Both,
typically, can be configured to be as strong as the other. Both,
typically, can be configured to leak like a sieve. Both, typically, can
be configured to work with third-party authentication tools, but if
your third-party authentication is an NT PDC, you need an NT Firewall
to talk to it (today). Now debating the value of the NT SAM as an
authentication database, or NT Challenge/Response as an authentication
protocol, is a different matter. If the company has already made the
investment in that dB, and chooses not to change that, integration with
it is very desirable to many.
*
Also, smaller sites who don't have the time, intelligence, or patience
to configure a Linux or FreeBSD box as a complete Internet server with
*some protection* see NT Firewalls as a way to get what they want. Of
course most of these people believe they can put everything on their
Firewall (SMTP, HTTP, POP3, etc...) cause NT can run lots of things and
has simple GUI installation programs to get these things up and
running. Typically not a very good idea, but at least one vendor of a
recently announce NT Firewall actually says that they are happy to run
underneath other NT Application services, so the trend may be changing
there.
*
As for this buffer-overrun stuff, could someone please point me to a
single example of an NT process overrunning its buffers? I don't mean
CMD.EXE, but an actual NT process which is constrained by the Kernel or
the Executive to stay within its memory bounds. Its so easy today for
people to throw out the "buffer overrun" attack as a latent threat and
never have to back it up. NT's memory leaks, to my knowledge, are
limited to not recovering its own allocated memory, thereby dwindling
resources. Comparisons between NT and any other Windows platform is
just plain lack of knowledge. NT does memory management completely
differently.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
Cooper @
RC .
on .
ca <-- *note the new address*
|
|
