> To: "Firewalls list" <[EMAIL PROTECTED]>
> Subject: Why not FireWall-1 on NT?
> Date: Thu, 10 Jun 1999 16:21:17 -0400
>
>
> CheckPoint's FireWall-1 is sold to run on the following platforms:
>
> HP-UX 10.x
> AIX 4.2.1 and 4.3.0
> Solaris 2.5 and higher
> Windows NT Server 4.x Service Pack 3.01 (Intel-based only)
>
> It has been my experience that the majority are installed on Solaris and NT
> boxes.
>
> My question for this discussion is this: why would CheckPoint take
> FireWall-1 to NT? It seems that they are the commercial software firewall
> leaders in the marketplace. Why would they risk jeopardizing their product
> and their reputation by selling a product to be built on top of an OS that
> isn't (or can't be made to be) secure?
the answer to any question that starts out "why would they,...", or "why
_don't_ they..." is, invariably, "money".
It comes down to an application of the "golden rule" -- 'he, who has the gold,
makes the rules.'
_Potential_ customers were *demanding* it -- a substantial number of whom
were simply *not* educable with regard to the risks of such action.
Now, _given_that_situation_, what is a vendor to do?? 1) refuse to sell
the customer anything except the 'best' product, and watch the sale go to
somebody who delivers a 'piece of ****' _on_the_customer-demanded_platform_?
or 2) do what you can to deliver the best-possible product (regardless of
*how*far*INFERIOR* to your 'best' product) within the constraints the customer
has placed. Presumption: you feel you can provide a better product _on_that_
_inferior_platform_ than your competitors can.
> This reasoning does not lead me to believe that the NT OS is an inherently
> secure one, but it does lead me to believe even more strongly that the NT OS
> *can* be made secure and that the real important factor is the installation
> and administration ... a point that has been made several times through the
> course of this discussion.
I'll suggest the following:
1) *neither* environment _ships_ in a 'default secure' mode.
2) the security level of either one can be improved *greatly* by
carefuly tailoring of the system.
3) NT _as_shipped_ *may* be more secure than a default UNIX install.
4) It is _easier_ to strip a UNIX-based system down to the "bare essentials"
for a specialized task. UNIX 'theory of operation', and descrip-
tions of interactions and dependencies between pieces, are *far*
more _readily_ available than the equivalent NT data.
5) A UNIX-based system can be stripped _further_ than a NT one can.
Fewer services -in- the kernel, more things in external, "daemon',
programming. One can *completely* eliminate any risk associated with
such, by _removing_ unused daemon. If it _has_ to be there, but is
just 'disabled', one of the first things a successful break in will do
is *re-enable* that 'dangerous' service.
6) It takes considerably more effort to *keep* an NT system secure --
"Service Packs", and other fixes have this nasty tendency to re-enable
things that have been _deliberately_ turned off.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
