I remember the day that one of the NT servers I supported crashed just because
a FTP client "tried" to establish a PROPER and regular FTP connection to the
server. That is no joke... it was Windows NT 4 before Service Pack 1.
Even the best Firewall coding practices won't deliver you a stable FW if the
base OS that the FW Code is running on is buggy. Another point is that the FW
job can be negatively impacted if the OS let's itself fake-out (spoof-like
operations, IP packet malforming, fragmenting and so on).
The question you ask isn't really worth anything... it certainly depends on a
good and stable OS AND the firewall code to get a true security solution. I
managed to learn 6 programming languages in my 11 years of IT experiance... I
do know that there's nearly no way to get 1'000 lines of code that fits to all
conditions, that won't allow buffer & variable overflows, and in the "worst"
case logical errors.
By the way... usually commercial software contains at least one error in 1'000
lines of code (Can't name the source of information right now from top of my
head).
Now tell me ... how big is the chance that a firewall is going to contain less
bugs that has it's own, proprietary mini-OS and is entiriely less than 100'000
lines compared to a firewall that builds on an OS (from some strange vendor
that has a information-flow problem and doesn't like to show you the source
code) that has let's say 10 Million lines of code (W2K is going to have some 40
Millions of codelines I've read)?
Well... how big are the chances that the vendor really implemented everything
as the provided information tells? Could one of those functions expose a
security problem for your application (FW)? If the vendor changes functions (in
DLL's for example) that your code relies on... can this render your entire
software unusable or infunctional?
Can you keep pace with the new security concerns and holes that appear nearly
on a daily base if you rely on the vendor to give you the information you need
(and that he gets the fixes bugged... aah I mean... the holes plugged)
And the last question... who tells that the programmers at NAI are better than
those at MS ? *evilGrin*
Hope you all enjoy your weekend (more than still working Boris...)
Boris Pavalec [QPB]
Network / System Engineer [MCSE]
Highend Computing Systems
Switzerland - Zuerich
http://www.nt-admin.net
[EMAIL PROTECTED]
-----Original Message-----
From: cm [mailto:[EMAIL PROTECTED]]
Sent: Samstag, 29. Mai 1999 16:27
To: firewalls
Cc: cm
Subject: UNAUTHENTICATED: Why not NT?
At 10:09 AM 5/28/99 , Larry Claman wrote:
> I won't comment on this, other than
>to say that many (most) security experts still distrust NT.
And why is that, exactly? Is this distrust based on an analysis of how the
firewall and OS interact? If someone wants to argue that the OS has a
major role in determining the performance and stability of a firewall
platform, I'll allow that as given. But if someone tells me the OS affects
the security of the firewall, then I'd be interested in knowing *why* they
believe that's true. No points given for "because it's NT". :-)
Hypothetically, suppose there was a firewall that had code sitting right
about the network drivers that grabbed the packets, processed them, and
sent them back down to the network drivers. From a security perspective,
would you be concerned about the OS or the firewall code?
Chris
-- <--listserv unconfuser
{
| Christopher Michael
| Network Associates
| Channel Security Specialist
| [EMAIL PROTECTED]
}
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
WINMAIL.DAT
