>>>>> "Douglas" == Douglas Cheline <dcheline @
genuity .
net> writes:
Douglas> The various Firewall vendors that I have spoken to have
Douglas> repeatedly stated that, eventhough their product does run
Douglas> over NT, running firewalls over UNIX is much more secure.
Douglas> The reasoning I get is that NT has some inherent
Douglas> vulnerabilities that cannot be plugged since the code is
Douglas> proprietary and closed. UNIX on the other hand is standard
Douglas> based and open, plus it has been on the market much longer
Douglas> and more efforts have been placed in plugging the holes
Douglas> there.
Running anything on Windows NT isn't necessarily insecure. It
certainly can be, if it's configured poorly. However, security cannot
be proven. It is only by time and standing up to test after test does
anything in security reach a level of probable security. The biggest
problem with NT is that it is closed, and its code isn't available to
the world to be examined and have bugs eradicated. As a result, the
level of security that NT will provide is, at best, unknown.
Along these lines, mjr posted a while back that he sent some folks off
to Microsoft for NT developer training or something like that. His
post noted that the Microsoft trainer asserted that there are
'administrative hooks' in NT that only Microsoft knows about. What are
these hooks? Are they really there? What do they do? What happens if
someone with a black hat finds one of 'em out? Is that enough to
compromise the security of the OS? We can't possibly know without
having the source or reverse engineering the whole thing to hell and
back. (Which is forbidden by Microsoft by their wonderfully
restrictive totalitarian licenses.)
That's strike one.
Consider something else: Windows NT isn't the subject of advisories
like that from CERT simply because Microsoft refuses to participate
with the security organiations like CERT. CERT, in its desire to be a
white-hat organization that doesn't aid any people wearing black hats,
will not release an advisory on a problem to which there is no
solution. (Generally, they seem to not stick so closely by this policy
anymore, as they published a vulnerability in SATAN before a fix was
available. Very strange, that.)
Refusing to participate with the security folks is strike two in my
book.
Furthermore, why would you want to run a firewall on NT? So you can
pay $1000 for an operating system that allows you to have more than 10
simultaneous IP connections? Microsoft used to claim that there was a
difference between NT workstation and NT server. They were caught in
that lie by InfoWorld. A company that is so marketing-driven (as
opposed to technology-driven) as Microsoft, has a proven track record
of lies and deceit, and makes claims like their proxy server is
analogous to the level of security provided by many firewalls, is NOT
the kind of vendor that I want to give my company's front door keys
to.
Also consider the great speed with which NT is developed. They're so
hot to get the next version out that things like security can't
possibly be scrutinized very carefully, even within their own
organization.
Back to my question as to why someone would want to run a firewall on
NT. It doesn't scale as high as Unix (compare its scalability to
Solaris, for example.) It doesn't perform as well as Unix (for 0% of
the price, FreeBSD will outperform NT in socket performance), and it
doesn't have even a fraction of the security tools available in the
Unix world. Things that ARE available for NT typically don't include
the source, so you're back to having things that you can't trust
running on your firewall again.
The only thing that I've ever heard is that they want to run it on NT
so that "anyone" can run it. Sorry, but when you're talking about a
firewall, it isn't JimBob's home network. You need someone with a clue
guarding the front door.
Strike three, it's less functional, less scalable, and locks you into
a vendor that wants to take over the world. I'm not just bashing, but
why in the world would anyone want to make themselves dependant upon
an EXTERNAL VENDOR to guard the entry point to the Internet?
Firewalls are necessarily technical, folks. Anyone looking for a black
box to plug into the wall "and just work" is asking for trouble.
--
Matt Curtin cmcurtin @
research .
megasoft .
com Megasoft, Inc Chief Scientist
http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
References:
|
|
