Firewalls: Re: Unix or NT

Firewalls
(January 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Unix or NT
From:	Todd Graham Lewis <lists @ reflections . mindspring . com>
Date:	Mon, 20 Jan 1997 03:59:25 -0500 (EST)
To:	"D. Todd Meckenstock" <toddmeck @ onramp . net>
Cc:	Firewalls Mailing List <firewalls @ GreatCircle . COM>
In-reply-to:	<199701171809 . MAA19403 @ gatekeeper . paymentech . com>

On Fri, 17 Jan 1997, D. Todd Meckenstock wrote:

> I think the common dividing line between camps is that with UNIX you get
> all the source code so you know exactly what is going on and can adjust it
> yourself as needed.

Untrue.  Source for NT is easier to get than it is for most unices.

> The reason why NT is so attractive over UNIX is that it is harder to
> install a UNIX system. Many people like NT because they just want to boot
> to a floppy, insert a CD-ROM and be guided through a graphical, automated
> setup.

Wow, sounds like redhat linux 4.0.

> You should find that *experts* prefer UNIX because they want full
> control and they understand it. In contrast, persons who do not consider
> themselves UNIX experts would probably rather deal with NT rather than
> attempt to learn UNIX.

My big question is still this:

If people use NT because they don't want to learn how to do the hard stuff
associated with Unix, then why do you assume that they are going to learn
how to do the hard stuff associated with network security?

Even Russ Nelson will agree with me on this one, that all the GUIs and
winhelps in the world won't do a damned bit of good if the person writing
your packet filter doesn't understand how IP works.

To be honest, I see very little differentce between NT and, say, solaris
in this context.  Both are mildly unstable, but not terribly so.  Both are
rather expensive.  Both offer your typical mix of unix/ip functionality. 

My beef with NT is not that it's not up to the job.  If DOS was up to the
job, and it was, then NT can be, too.  Firewalls are not, technologically,
very demanding pieces of machinery; in fact, they're little more than
applied policy engines.  "(Match packet && execute rule) || discard".
"Accept connection && proxy"  This isn't hard stuff.

My problem is with suit-type people who think that NT allows them to
escape having to hire people who know what the hell they're doing.  Sure,
it makes great business for people like me who can come in after the fact,
figure out what went wrong, give them a real solution, and charge the hell
out of them.  Being more interested in seeing people do the right think
than in making a lot of money, I say that you're better off doing it right
the first time.  

Doing it right can mean NT, although it usually doesn't, but the important
part is not the OS, but the understanding of the person who builds your
firewall solution.  No OS and no prepackaged firewall can remove that
element from the equation, which, all too often, is what NT solutions try
to do.

__
Todd Graham Lewis             Linux!                 Core Engineering
Mindspring Enterprises  tlewis @
 mindspring .
 com   (800) 719 4664, x2804

References:

Re: Unix or NT
From: "D. Todd Meckenstock" <toddmeck @ onramp . net>

Indexed By Date	Previous:	None From: krieger @ x400 . vebaoel . vebaoel . lion . de
Indexed By Date	Next:	Re: Unix or NT From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Indexed By Thread	Previous:	Re: Unix or NT From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Next:	Re: Unix or NT From: mhamilto @ diablo . safb . af . mil (Matthew R. Hamilton)