Re: OS Platform for firewall (...the answer is..)

Tue, 12 Jan 1999 11:35:31 -0500 

On Tue, 12 Jan 1999, Andy Condliffe wrote:

> I agree with a lot of what you say, but the original questions
> was which OS, UNIX or NT?  As the word "knowing" seems to have

Right, I just think that a lot of people jump too quickly to the 
answer based on what I think are the wrong questions.  A lot of people 
want someone to tell them "use xyzzy", but rather than an easy answer of 
"If you like frotz, use it instead", I think people need to think a great 
deal more carefully about security solutions.  A great deal of the 
rationale used by a number of people (and I'm not picking on you here, 
this is a generalist statement) for choosing firewalls have not much at 
all to do with firewalling.  All things, unfortunately aren't equal, and 
I prefer to raise the issues that traditionally have held value.  "Eggs 
and baskets" is one such issue.  


> touched a raw nerve, perhaps "understanding" would have been a
> better choice, or will that just make thing worse :-(

Well, as I tried to point out, that's another argument entirely, but 
while I understood what you were getting at, I just think it bears 
pointing out that a lot of people have no clue how an OS operates at the 
network level, and those are generally the same folks who want to be told 
what OS to use.

> 
> I also use PIX and Cisco 16xx with the firewall feature set, all
> of which have had their problems.  I haven't come across any vendor
> who has particularly inspired confidence.

We can definitely agree on that point.  All firewalls suck, they just all 
suck in different ways.

> The ideal solution, as you seem to suggest,  is multiple devices
> of different architectures, whether it be router + host, or host
> + different host with different FW s/w.

Definitely, I just wanted to point out that since host security is your 
last line of defense (and we as an industry need to drive the "firewall" 
thinking all the way down to the host) putting all the eggs in a single 
basket, even a well-known one may not be the best choice.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
  • ... אריק זודמן - Arik Sudman
  • ... Peter Bruderer
  • ... Brian Steele
  • ... Zuk, Allen
  • ... Kafil Din
  • ... Roger Marquis
    • ... Brian Steele
      • ... Andy Condliffe
        • ... Paul D. Robertson
          • ... Andy Condliffe
            • ... Paul D. Robertson
              • ... Sean Semone
        • ... James D. Wilson
          • ... Rainer Duffner
            • ... Carric Dooley
        • ... Eugene Chupkin
  • ... Knapp, Ken (SD-EX)
  • ... אריק זודמן - Arik Sudman
  • ... Rao, Prashanth
  • ... Jan van Rensburg
  • ... Roger Marquis

Reply via email to