Kenneth,
The issues you are referring to are not platform specific, but are a
function of your implementation. I will be the first to acknowledge that
MSFT security policy and quick fix engineering was inadequate as of '97.
However, things in Redmond have changed significantly over the last two
years. The MSFT security team has done an excellent job in adapting to this
dynamic space. The issues that you have in deploying NT securely IMO are
not a function of the technology, but a function of expertise. Do you think
a Solaris expert could effectively deploy an NT solution? Conversely, I
wouldn't expect an NT expert to deploy a Solaris firewall appropriately
(unless you are fortunate enough to acquire a bi-lingual SA). Point being,
the technology is not as relevant as the resources applied to it.
--
Christopher Rouland
Director X-Force
Internet Security Systems, Inc.
http://www.iss.net/xforce
(678)443 6000
-----Original Message-----
From: Ng, Kenneth [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 02, 1999 1:31 PM
To: 'Brian Steele'; [EMAIL PROTECTED]
Subject: RE: Why not NT?
We have a couple of NT firewalls (Raptor to be precise) and they are ok as
long as everything works. The trouble is, quite often things don't, and the
firewall is always the first component to be blamed. With the solaris units
its easy to diagnose: srl (a sort of brain damaged ssh) to the box, and you
have full Unix diagnostics to do things like snoop, ping, traceroute, check
the arp cache, etc, etc, etc. In almost every case, the firewall was not
the problem, but we are guilty until proven innocent. On NT, well, I'm
reminded of the old Texas Instruments single computer error message: "can't
do that".
As far as security goes, Microsoft as an extremely poor record for security
and for platform stability. One of the big things in security is how often
things are compromised and how fast problems are fixed. NT gets compromised
regularily. And an annoying percentage of the time when a new exploit tool
comes out, Microsoft's response is "this is not a new vunerability". That's
true, its not, but you still have not fixed the old one. And, the number of
people using that vunerability goes from a few hundred people with
specialized programs to a million script kiddies. And a million script
kiddies is a fine example of decentralized parrallel processing.
For right now, we are only buying Solaris Raptor firewalls, the one NT box
has been phased out. Sure in a few months there will be that new NT product
or service pack that promises to fix everything in the world and be the best
thing since sliced bread. But because I've been burned by NT several times
before, my inclination is to stay away.
> -----Original Message-----
> From: Brian Steele [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, June 02, 1999 8:05 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Why not NT?
>
> What's so funny about this whole thread is these guys ranting and raving
> about NT being not suitable for Firewall work, but many companies are
> happily, and successfully, employing NT Firewalls anyway.
>
> Perhaps what they should really be asking is what do those companies know
> about employing an NT-based system that they don't.
>
> Ignorance is not knowing.
> Stupidity is the active pursuit of ignorance.
>
> Brian Steele
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
****************************************************************************
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
****************************************************************************
*
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
