On Tue, 5 Oct 1999, Laurent Butti wrote:
> Hello,
>
> I have a question : does firewalls replace (or configure) TCP/IP stacks,
> particularly in NT world ?
In the NT world, yes, a few produts replace the IP stack. In the Unix world,
I'm not aware of any that replace the stack (not that it's not possible-
but the original implementations were vendor-based, or in close
cooperation with vendors who could harden the stack that was already there),
though some open raw sockets and handle the implementation details themselves.
There were problems with the initial NT IP implementation and a low level of
trust in Microsoft's code historically, so some vendors who wished to still
market "NT Firewalls" initially added a stack they had more confidence in,
initially reducing NT to the role of boot loader and process manager.
Microsoft's stack has improved over time, so it's not a given that this
still adds a great deal of value. If the vendor didn't replace the stack
though, I'd want to know that they're looking at MS' source esp. after
service packs that affect it if I were in the position of using their
products.
> If yes, which products ? What is changed in the configuration of the
You'll have to ask the vendors or hope for another answerer, I don't and
won't use NT as a firewall in its current incantation, and I'm less than
happy with almost any of the commercial firewalls these days under any
OS.
In either case, it's really almost moot unless you trust the vendor to have
done a complete audit of the stack correctly or you spend significant time with
packet generators testing the stack's behaviour to various inputs. If
you look at the bug list for any commercial firewall vendor, you'll
probably end up with as much confidence in 'Quality Assurance' as I have, wich
is zero.
> TCP/IP stack ?
About the only thing you can change in an IP stack without the source
code is performance tuning (window sizes, timeout values...) I would
guess under NT that would mean changing registry settings if it's
possible to affect those settings at all. Any documentation to high-volume
Web server performance would be a good starting point.
I think it comes down to what you expect a firewall to do for you. If
you're like 'most' firewall consumers, almost any of the products will be
indistinguishable in actual use because you'll let a significant ammount
of traffic go through the firewall and not attempt to do a high level of
end-user auditing. Only the type of firewall will determine how much
additional vulnerability there is, but the configuration will probably
leave more issues open than the products.
If you expect to enforce an extremely conservative policy and do significant
auditing and authentication you'll either get to know your vendor's technical
support department *really well*, or you'll end up using Open Source software
and modifying it to meet your requirements and scalablility needs.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
