Jim Comen wrote: > I'm trying to determine what would be the best (and most appropriate) OS > platform for a firewall. I've looked through several months of past > postings on this mailing list as well as other URLs to see if I could find > any clear direction on this issue, but I haven't seen any. > I'm going between NT and a UNIX variant. The experience I made about NT and UNIX is not based on a firewall, but on a couple of webservers, nameservers and mail-relays. That environment had about 50 systems to maintain just for the Internet. They are all migrated to UNIX now. As a short response I just can tell you: it is almost impossible to keep NT secure. If you have installed all possible patches, NT kills itself. If you dont have installed all needed patches, everybody else can kill your system (Denial of service attacks). It is just not reliable and not easy to maintain. You have no chance to customize your system to the functionality needed. It is always a desktop OS. This has major impacts on security. Maybe it is not as easy to get a shell on NT as on UNIX, but it is possible too. On UNIX you can customize your system to fit your needs. You can easily remove everything you don't need. Logging on NT is very difficult. It is not easy to centralize logging and to observe the logfiles automatically (At least I did not find out how, and the MCSEs in that company neither). The TCP/IP implementation in NT is not transparent. You have no idea on what port NT listens and why. (Some ports are obvious). Another point which is quite important: Performance. On NT you need always twice as much RAM and the clock speed must always be higher to get the same results than on UNIX. You can test that very easily if you install NT and FreeBSD or Linux on the same system. The UNIX variant will always perform better. In the mentionned company I got the chance from the management to do a simple test. With a small program downloaded from the Internet I could kill more than 2000(!) systems in a single strike. This action took me less than five minutes. Every system had to be rebooted after that action. But a major part of that company was blocked for about ten minutes. Servers had to be restarted. None of the responsible persons found the reason for the big bang. These are my personal experiences. Other people made definitely better ones than I did. Don't start a flame war please. have fun ... -- ========================================================================= Peter Bruderer mailto:[EMAIL PROTECTED] Bruderer Research GmbH Tel ++41 52 620 26 53 Internet Security Services Fax ++41 52 620 26 54 CH-8200 Schaffhausen http://www.bruderer-research.com ========================================================================= - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
