So many apologies Amanda, they really weren't necessary, I think many of
us knew what you meant when we read it...;-]
That being said, Marcus and I and many others had a thread a while back
called "Firewall Futures" I believe, wherein we discussed how we thought
Firewalls and security should go in the future.
A point that I made, which Marcus vehemently disagreed to...;-]...was
that getting any additional security into the mix is better than getting
only the best security into the mix. That belief can extend to employing
NT-based Firewalls for whatever reason the deployer chooses, but not for
the reasons that most would believe.
1. If a company chooses to blindly follow the marketing droid, then the
company has a bigger problem than which marketing droid they happened to
follow, don't they?
2. If a company chooses to implement a Firewall based on NT because they
believe that its GUI makes it easier to manage, then maybe they have
their priorities wrong? Then again, maybe they don't. Maybe they believe
that since they have no security pre-Firewall, getting the inherent
security options included with most COTS Firewalls is enough to start
with and they'll learn as they go along. Meanwhile they have a pretty
GUI to work with as they learn. Have they considered the risks
associated with that decision when they make their purchasing decision?
If not, see #1, if so, then its a decision based on an acceptance of
risk. Their choice. Do non-NT Firewalls have easy GUIs, of course, but
somehow the purchaser (in my example case) has made the decision that an
NT GUI is easier than a non-NT GUI, again, their choice.
3. If a company chooses to implement a Firewall without examining source
code, or knowing that some huge group of people (whom they may, or may
not know) has examined it on their behalf, then maybe they don't have
the expertise to understand the nuances or the industry insight to know
who does (who do you trust?). Do they understand the risks associated
with this? If not, see #1, if so, then its a decision based on an
acceptance of risk. Their choice. We don't go out and hit a wall at
35mph to see if our seatbelts work, we trust that the vendor makes the
seatbelts work properly. If not, they'll recall them (at which point I
may or may not be dead from an impact), its a risk that they have to
assess. If not, see #1, if so, then its a decision based on an
acceptance of risk. Their choice.
4. Will the Firewall they've chosen withstand the attacks that might
befall them, or at least alert them to the fact their being attacked (or
have been attacked). Well, this isn't really an NT issue, it applies to
all Firewall and security products. Their supposed to do what they say
they will do, and if they don't, their broken (regardless of platform).
Do they know they need this? If not, see #1, if so, then its a decision
based on an acceptance of risk. Their choice.
5. Will the Firewall they've chosen be stable enough to ensure it
doesn't become the obstacle to their 'net desires? If not, see #1, if
so, then its a decision based on an acceptance of risk. Their choice.
Assuming they've never been referred back to #1 above, then they've made
a decision based on a variable amount of risk acceptance, something we
all do when we implement security of any kind. The presumption that any
large group of people (purchasing authorities for security products) are
going to do so *solely* due to #1 is, imo, a fallacy borne out of
frustration with the business case process...;-] Sure, I've had people
say they were going to buy something because it was cheaper (despite it
being less secure) but I've also changed the purchasing decision based
on a proper presentation of the issues (i.e. if you do this we will
die...).
MS has good marketing clout with most companies these days, but lets
face it folks, its not Microsoft knocking at your door trying to sell
you a Check Point Firewall-1, or a TIS Gauntlet, or SmartGate-NT, or
ACEServer for NT, or EnTrust for NT, or most other security products,
its the vendors themselves doing this (regardless of what MS Proxy is,
does, or will be).
According to my last straw poll, most vendors are finding that the
majority of their new sales are coming from customers choosing NT. Now
hopefully those vendors are not selling them cheap, useless, insecure,
bug-full ports of their Unix products. That seems to be what some people
would have us think.
So regardless of how serious some people think NT is as a security
platform, most security products vendors believe their reputations will
not be tarnished by making their product available on NT. With that kind
of vote of confidence (regardless of how much of the NT kernel they
might replace/remove), I'd say that perception is wrong. If you are a
bit-twiddler who needs to touch every library function yourself, then NT
is not a serious platform for you, accepted. If you're willing to rely
on third-party tools to show you everything that NT is doing with every
bit, wrap around things you don't like and replace them with your own
code, then NT probably offers you more return on your same development
effort, which means you can probably afford to increase your development
effort to make your NT version better than your Unix version...;-]
Please, all flames to me privately (I'm a sucker for textual
punishment...;-]).
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security
> owner of the NTBugTraq mailing list:
http://www.ntbugtraq.com
