(Ack, followup to my own post)
Actually, after thinking about your proposed solution for a few
more minutes, I realised that it still is not good enough.
Let us speculate.
You have an IIS4 machine running in the DMZ, that still has
.HTR parsing enabled. -YES, folks, this is just an example.
I know that there are patches out for this particular bug.
And to keep my back clear, we could also assume that this
is a *nix web server with a poorly written CGI script.
If that machine was to be compromised, and you still had
the Wolverine-on-steroids IP stack attached to interfaces
connected to "secure" networks, intruders would be able
to attack the firewall from the inside.
Maybe to the extent that they'd be able to reconfigure
the firewall to allow traffic from the Internet to
the internal network?
This would be A Bad Thing(tm).
The only solution would then be to attach your own IP
stack to ALL interfaces of the firewall, which only
brings us closer to my proposed solution. ;-)
Actually, what firewall vendors do on *nix systems
is make changes to the IP stack in the OS to make
them More Secure(tm). This is unfortunally not possible
on NT since you have no access to the code base.
This leaves two options:
1) Try to filter what the IP stack receives, which
requires total knowledge of the weaknesses in the
IP stack, which again is not possible if you
cannot revies the code.
2) Roll your own IP stack.
1 is bad due to security considerations and 2 is too
much work in comparison to being able to just
modify an existing one. These are compelling
reasons for firewall vendors to use *nix as platforms
for their firewall products.
This of course is not Microsoft bashing. It is simply
the discussion of "why firewall vendors prefer being able
to review (at least) the IP stack code". There are
other operating systems with proprietary IP stacks
where no source code review is possible. Unix systems
and NT are simply the two most popular OSes in today's
networking environments, which is why the debate is
seemingly "NT vs. Unix".
!!!! Consumer advice! Blatantly personal views with
!!!! no factual background follow.
!!!! We now return you to your favourite pastime.
AND (whew this is getting a lot longer than I originally
intended) to counter the recurring rebuttal
"but NT people and clueless admins in general are more
used to graphical interfaces, and hence make fewer
mistakes if they can do their configuration in a
familiar environment" ....
Just because the firewall itself only has a CLI doesn't
mean there can't be a nice-looking GUI with lots of
helpful Office Assistants running on a management
station on the internal network.
As I see it though, firewall configuration interfaces
SHOULD NOT be too aesthetically pleasing. Why? If it looks
more complicated than your average office range software,
clueless admins are more likely to hire a clued consultant
that actually KNOWS what he's doing rather than trying
to get ICQ working by opening up all ports from 1024 through
65535.
This debate will of course be moot the day that the
firewall software itself can determine that the admin
is doing Something Clueless(tm). But by the time we get to
the point where the firewall _truly_ is intelligent enough
to do that, it could probably just configure itself dynamically
based on what is happening on the connected networks, and
then we won't need any sort of configuration interface.
Et voila!
(Oh, by the way, I don't think that's very likely to
happen in the near future.)
This has drifted far enough from the original subject now.
AND consumed too much of my employer's time :-)
Later,
/Mike
I previously wrote:
>
> Yes, you are right, this would make it much more secure.
>
> But if you're going through all the trouble of rolling your
> own IP stack, why bother with running it under NT in the first place,
> when you could just as easily run it on your own miniature operating
> system? That way you'd save $$$ for your customers who won't have
> to buy NT (or any other OS for that matter).
>
> Besides, I like that solution better anyhow, since it keeps
> nitwit admins with a low IT budget from installing 3rd party
> software on the firewall itself. :-)
>
>
> Don Kelloway wrote:
> >
> > What you're speaking of, is unfortunately an issue where the firewall runs
> > on top of MS's IP stack. However, if one were to do the following:
> >
[10 point list on how to make an NT firewall secure by using your
own IP stack on the external interface]
> > The end-result? A pretty darned secure installation, if you ask me...
> >
>
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
