Magossa'nyi A'rpa'd apparently wrote:
(various bits snipped for at least some brevity)
>> > >A) NT is now considered a viable firewall platform
by some security
> >> > >experts
>
> > >> A second-best viable security platform from what I've seen/heard.
> >NO! NT has nothing to do with security, at least not for those who
> mean it
> >seriously. To do anything serious, you need a platform which is
> mature, and
> >at least marginally bug-free. NT is not among them.
>
> I disagree. But that wasn't what I was saying. From what I
> have seen and heard (maybe I should add from other people,
> publications and other sources, not just my own views) NT
> is considered to be a _second_ best viable option. In my
> experience, most people will _only_ choose second best
> if first best is not an option for whatever reason.
>
> Again, this is not necessarily what I believe, but it's how
> I perceive the general feeling to be.
>
> > > >C) The MS rhetoric has sold people the bill of goods that
> "NT is
> >> >> secure enough"
> > >
> >> > I hope this is unlikely. Please don't disillusion me ;-p
> >Which part is unlikely? That there are people who think that "NT is
> secure
> >enough"? You are one of them.
>
> I don't think NT is secure enough - at least not out of the box,
> and not purely relying on MS tools to secure it. I've never said
> I was. I've never implied that I was. What were you saying
> about mis-interpretations... ;-p
>
> >Or that this legend has been driven by ms
> >sales blurb? Knowing that they spend orders of magnitude more money
> on
> >marketing than development, it is highly likely.
>
> Neither, as it is happens. What I hope isn't happening is that
> people in a position to implement a firewall listen blindly to what
> marketing droids say without having any experience whatsoever
> to back it up or shoot it down.
>
> I'm not going to respond to the other comments you made
> simply because I don't want to enter even deeper in the NT
> vs Unix holy war.
>
> As I see it, most people seem to see NT as being 2nd best
> to Unix or Linux for a firewall. My own preference is to use
> an OS that _I_ can secure (rather than trust blindly to a 3rd party),
> and where I know what is being "secured" by other software
> (eg a firewall). Also one that I feel comfortable with - that I know
> as close to inside out and back-to-front as is possible. If I knew
> nothing about Unix or Linux, I would not have a firewall running on
> it. Likewise, if I knew nothing about NT, I would not run a
> firewall on it.
>
> Again, apologies for wasting bandwidth on this
>
> ---
> The usual disclaimer:
> These views are mine, not the company's.
> And no-one else can have them, so there!
>
> Amanda Appleton
> Network Administrator
> Drivers Jonas
>
That being said, Marcus and I and many others had a thread a while back
called "Firewall Futures" I believe, wherein we discussed how we thought
Firewalls and security should go in the future.
A point that I made, which Marcus vehemently disagreed to...;-]...was
that getting any additional security into the mix is better than getting
only the best security into the mix. That belief can extend to employing
NT-based Firewalls for whatever reason the deployer chooses, but not for
the reasons that most would believe.
1. If a company chooses to blindly follow the marketing droid, then the
company has a bigger problem than which marketing droid they happened to
follow, don't they?
2. If a company chooses to implement a Firewall based on NT because they
believe that its GUI makes it easier to manage, then maybe they have
their priorities wrong? Then again, maybe they don't. Maybe they believe
that since they have no security pre-Firewall, getting the inherent
security options included with most COTS Firewalls is enough to start
with and they'll learn as they go along. Meanwhile they have a pretty
GUI to work with as they learn. Have they considered the risks
associated with that decision when they make their purchasing decision?
If not, see #1, if so, then its a decision based on an acceptance of
risk. Their choice. Do non-NT Firewalls have easy GUIs, of course, but
somehow the purchaser (in my example case) has made the decision that an
NT GUI is easier than a non-NT GUI, again, their choice.
3. If a company chooses to implement a Firewall without examining source
code, or knowing that some huge group of people (whom they may, or may
not know) has examined it on their behalf, then maybe they don't have
the expertise to understand the nuances or the industry insight to know
who does (who do you trust?). Do they understand the risks associated
with this? If not, see #1, if so, then its a decision based on an
acceptance of risk. Their choice. We don't go out and hit a wall at
35mph to see if our seatbelts work, we trust that the vendor makes the
seatbelts work properly. If not, they'll recall them (at which point I
may or may not be dead from an impact), its a risk that they have to
assess. If not, see #1, if so, then its a decision based on an
acceptance of risk. Their choice.
4. Will the Firewall they've chosen withstand the attacks that might
befall them, or at least alert them to the fact their being attacked (or
have been attacked). Well, this isn't really an NT issue, it applies to
all Firewall and security products. Their supposed to do what they say
they will do, and if they don't, their broken (regardless of platform).
Do they know they need this? If not, see #1, if so, then its a decision
based on an acceptance of risk. Their choice.
5. Will the Firewall they've chosen be stable enough to ensure it
doesn't become the obstacle to their 'net desires? If not, see #1, if
so, then its a decision based on an acceptance of risk. Their choice.
Assuming they've never been referred back to #1 above, then they've made
a decision based on a variable amount of risk acceptance, something we
all do when we implement security of any kind. The presumption that any
large group of people (purchasing authorities for security products) are
going to do so *solely* due to #1 is, imo, a fallacy borne out of
frustration with the business case process...;-] Sure, I've had people
say they were going to buy something because it was cheaper (despite it
being less secure) but I've also changed the purchasing decision based
on a proper presentation of the issues (i.e. if you do this we will
die...).
MS has good marketing clout with most companies these days, but lets
face it folks, its not Microsoft knocking at your door trying to sell
you a Check Point Firewall-1, or a TIS Gauntlet, or SmartGate-NT, or
ACEServer for NT, or EnTrust for NT, or most other security products,
its the vendors themselves doing this (regardless of what MS Proxy is,
does, or will be).
According to my last straw poll, most vendors are finding that the
majority of their new sales are coming from customers choosing NT. Now
hopefully those vendors are not selling them cheap, useless, insecure,
bug-full ports of their Unix products. That seems to be what some people
would have us think.
So regardless of how serious some people think NT is as a security
platform, most security products vendors believe their reputations will
not be tarnished by making their product available on NT. With that kind
of vote of confidence (regardless of how much of the NT kernel they
might replace/remove), I'd say that perception is wrong. If you are a
bit-twiddler who needs to touch every library function yourself, then NT
is not a serious platform for you, accepted. If you're willing to rely
on third-party tools to show you everything that NT is doing with every
bit, wrap around things you don't like and replace them with your own
code, then NT probably offers you more return on your same development
effort, which means you can probably afford to increase your development
effort to make your NT version better than your Unix version...;-]
Please, all flames to me privately (I'm a sucker for textual
punishment...;-]).
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security
> owner of the NTBugTraq mailing list: http://www.ntbugtraq.com
>