nvs2 @
cornell .
edu wrote:
>
> Hi All,
> I am a Master's student in Comp. Sc. and my master's project is the
> design and implementation of a firewall. The basic question ahead of me
> is whether to implement the firewall on NT or on Unix.
Biggest issue here is not the firewall it is a computer security policy
for the University. For a firewall to work you need to have a
comprehensive security policy that covers everything from sign on to
your network, to the use of university resources, protection of the
information on the network, encryption if need be, E-mail use policies,
WWW policies on sites that are on the permitted and not permitted list,
and the list goes on adnausium. This is a big subject and a firewall is
a small part of this area. A firewall will be of little value if users
can dial in from another location and access whatever without some sort
of verification of their ID and authorization. This means controlling
dial in access as well. Where ever someone can gain access to the
network is where security needs to begin.
Think of it this way. What good is a door if there is no wall on either
side of it? Same goes for a firewall.
Selecting a firewall the following is a direction to go in my opinion:
What is the strongest support group that you have locally at your
college? Unix or NT?
If it is Unix what flavor of Unix is the standard if there is such an
animal on your campus. i.e. AIX, SunOS, Sun Solaris, HP-UX, to name a
few.
If it is NT are they MSCE Certified? and do you have the monthly updates
to the knowledge base subscribed to (TechNet)? If not get them that way
and subscribe so that you have the latest Microsoft information in hand
at all times.
Based on this I would recommend that you look at firewalls that would
operate on OS's that you have local expertise in. The reason is the
support expenses could get really hairy and help could at times take a
while to get to you and with a firewall help is needed immediately if
you have problems.
> Now, I dont know the advantages / pitfalls of either approach and since
> this is just a project my school doesnt care.
>
> But, all the discussions I hear on this mailing list are mainly about Unix
> firewalls and all the books talk about Unix only.Does that mean that it
> is tough to get any material to build Unix software.
No Unix is mostly written with C. So you need someone that can write C
Code for the flavor of Unix that you are running. Each Unix has it's
own compiler and because of this each system has its own little quirks
when it comes to getting code to compile.
> Also is it easier to
> do it on Unix since everything is so easily avaliable.
>
This is where the wealth of the knowledge in Firewall software is today
at this minute. However NT is making great steps to change this. There
are allot of software vendors porting their products to NT at this
time. The reason is the hardware for Unix is Expensive. NT can run on
garden variety PC (Pentium). So this saves allot of money.
Both OS's NT and UNIX have their own unique Security challenges. NT
seems to be easier to maintain in the beginning however now there are a
bunch of security wholes being discovered that will bury the system by
hogging the CPU process time. There many horror stories on this kind of
issue for any of the OS's.
Relax. 1. Keep your OS up to date what ever it is. Make sure the
latest patches are applied and working. They have the patches that fix
those security wholes.
2. When a CERT Advisory comes out READ IT. If there is a patch
mentioned, get it and install it.
3. Read the CERT Summaries to ensure that you have all of your
patches. These are published on a monthly basis.
4. Use only NCSA certified Firewalls.
5. If you are really concerned solicit bids and have them install the
system. Include in the contract that they will keep you up to date for
the following year on all software patches and fixes.
6. Once the firewall is running have NCSA come out and certify your
site. This will at least ensure that you are secure to a level that you
could consider safe.
NOTE: The term safe is relative in this case. It is safe to the known
attacks and bugs of the time that the certification is done. Fix have
the site recertified on a yearly basis.
As the saying goes the site is as secure as the security policy that is
in place and the amount of enforcement of the policy. A firewall is a
tool to enforce this policy.
I hope this helped.
> I would greatly appreciate any advice that people would have.
>
> Thanx
> A very confused...
> Nik.
> ------
--
Cary D. Conover
AIX Systems Administrator Senior Systems Analyst
Parkland Memorial Hospital Dallas, Texas
cconov @
parknet .
pmh .
org carydc @
why .
net
817-571-6694 Home Voice 817-571-6793 Data/Fax
817-360-8572 Mobile 214-590-0244 Work Voice
214-786-0282 Pager
References:
|
|
