>> Second: Baggage/Design. You can't pare that sucker down to essential
>> services and code. Worse yet, most of what you'd worry about isn't
>> documented well enough to help in an attempt. There's also a great deal
>> of non-IP networking baggage, and perhaps some IP networking baggage
>> that
>> doesn't seem to have an off button. In fact, lack of off buttons is a
>> big thing overall. Sometimes the off buttons are undocumented registry
>> settings - what a joy that is to replicate!
>
>Such as? I can pare down my NT machines to exactly the processes
>and services I want running. Why not run the network
>control panel and remove everything you don't want? Look at the
>services control panel and the "Stop" button. Looks
>like a great big off switch to me.
(1) the binaries are still ON THE MACHINE, this means that
the services could be restarted. The original Author was (I assume)
talking about "physically" removing them from the machine.
At least with Unix, you can find all the parts.
(2) Turn these all off, and then install a service pack. How
many of them are turned back on? This isn't a big deal when you have
only one or two servers, but try it was a 100 machine server farm.
>> Fifth: Tools/utilities. Trying to diagnose network problems from an NT
>> server is sometimes an exercise in frustration and 3rd party products.
>> When that problem is an attack it can be downright frustrating. Some of
>> this is familiarity, and some of it is based on adding more of those
>> darned library-updating programs we touched on in #3.
>
>Between network sniffing and the command line tools (ping, tracert
>and netstat etc.) I've had no problems at all getting
>to the bottom of network problems. YMMV of course, but in the
>context of firewalls (SMB, NCP, Appletalk etc aside) it
>is all very straight forward.
Yeah, if you can get NT to acknowledge there is actually a
network card in the machine in the first place--and then if
additional installations (active-hextop) don't blow that away-grrr.
>> Eigth: Support/Staffing. While there are a gazillion people with MS
>> certifications and really good looking resumes, there aren't a large
>> number of people who really know NT. What some people consider "knows
>> the OS in depth" is "Can check check boxes and usually find the right
>> dialog." I find that it's much easier to get a read on how much *nix
This is (IMO) another HUGE problem with NT--bloated nasty
monster configuration files full of arcane mumbo jumbo (instead of
nice "neat" little configuration files full of arcane mumbo jumbo)
>
>Really, this list is a pretty good description of the perception of
>NT by people who have spent most of their lives on
>other systems and haven't taken the time to look past the mass of
>paper MCSEs and people who know a lot more about
>opening up networking than locking it down. As a case of
>perception, NT still has a long way to go in the security
>community. As for what it is actually capable of, it can secure a
>network as well as any mainstream Unix can when used
>properly as a firewall. It comes down to what the requirements are
>and what the people maintaining the system are going
>to be able to use more efficiently.
There is a wonderful essay be Neal Stephenson at
http://www.cryptonomicon.com/beginning.html . It's long but
interesting.
On, and if you are using *nix, it's going to help to do a
s/$/<\/p><p>/ and open it in a web browser. He formatted the PC
version badly for us.
--
We have only come here seeking knowledge
Things they would not teach us of in college.--The Police
http://www.atypon.com [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
