Great Circle Associates Firewalls
(March 1998) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: NT based firewall?
From: "Paul D. Robertson" <proberts @ clark . net>
Date: Wed, 25 Mar 1998 22:58:29 -0500 (EST)
To: Paul BOYER <pboyer @ cpr . fr>
Cc: Doug Drake <ddrake @ mci . net>, "'firewalls @ greatcircle . com'" <firewalls @ GreatCircle . COM>
In-reply-to: <00045662 . 3045 @ cpr . fr> 
On Wed, 25 Mar 1998, Paul BOYER wrote:

> NT or UNIX : different. Both are worse and both are better !
> This is not the pace to compare OS execpt for the Security they offer :
> 
> What makes a system secure ?
> --> Most agree with me it's the skills of the people running the system. Not the
> system itself.

I tend to disagree, there is also the caveat of a system's stability, and 
history over time.  It's fairly classic risk assessment.  While it is 
true that less and less people are doing risk assessment of their 
platform, I'm not sure that there isn't a larger ammount of risk 
assumption with some solutions.

> Both are _VERY_ complicated to secure. I mean to _really_ secure. No out of the
> box solution is secure, in neither side. This is why we get paid ;)

I'm not sure I buy that completely either, Data General ships an "under 
evaluation at B-2 system (Red book)" which seems to be pretty damn secure 
out of the box.  I'd assume that CTX and maybe the CMW varients of Unix 
are also shipped by default with least open mode priveliges which you 
have to break to make them work.

> * NT is moving faster than UNIX, may be UNIX security last longer when the guru
> leave ;)
> * Most Internet is coming from UNIX, may be you can find more easily a UNIX guru
> on-line than a NT guru, but things are changing the other way.
> * Most security software vendors are coming from UNIX, maybe their porting to NT
> is not perfect yet and does not take full advantage of NT, but their market is
> changing and so are they.

Don't forget eggs and baskets as well.  You should look carefully before 
deploying the same platform as the machines to be protected.

> > >>I want to close our internal network with a firewall, but I have no idea
> > >>which is the best, the UNIX or the NT based.
> > >>The firewall will be the Check Point Firewall-1.
> > >>
> > >>Please, give an opinion on this topic.

My opinion on the topic is that I'd choose an application layer gateway 
over a stateful packet filter well before I chose what platform to run it 
on.  There's a larger risk assessment to be done there than on the 
platform level IMO.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280
References:
Indexed By Date Previous: Re: What is a good Firewall?
From: Brian Macke <macke @ telegroup . com>
Next: RE: ATM Firewall
From: "Garrigues, Alain" <GarriA @ europe . stortek . com>
Indexed By Thread Previous: RE: NT based firewall?
From: pboyer @ cpr . fr (Paul BOYER)
Next: Re: NT based firewall?
From: Roger Books <books @ mail . state . fl . us>
Google
 
Search Internet Search www.greatcircle.com