> -----Original Message-----
> From: D Clyde Williamson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 8 June 2000 3:39 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Soapbox on firewall evals
>
>
> Ryan Reynolds wrote:
> >
> > Mikael:
> >
> > I agree wholeheartedly with you, but I think the reason is that the
> > security of a firewall is taken for granted. Nobody asks
> "How secure is
> > FW-1/Gauntlet/Sidewinder/etc.", they just assume that the
> products are
> > completely secure.
Which is obviously crazy, reading bugtraq lately.
My soapbox? I think the industry has gone way too far with extra firewall
features, trying to hold on to a dead architecture. VPN, content screening,
email checking, built-in bidet....
Perimeter / choke-point security is past it - we've all been told it a
million times. Host based security which is mutable according to a network /
enterprise wide policy is the way to go from here. Having said that, I'd
really like to see more work on good SPFs and good ALGs that don't do
anything fancy.
On another note, with the work Lance has done poking at FW-1 and all the
other commonly available firewall testing methods, shouldn't we be closer to
a pretty-much-objective test that rate firewalls in terms of security
against simple IP-based attacks / DoS? Someone just needs to collect all the
bits of code and script 'em...
[snip]
[ From: D Clyde Williamson ]
>
> Well, that's not exactly correct. if the firewall sits on top of an OS
> you have to worry about the security of the OS. If it implements it's
> own IP stack (as many NT firewalls do since NT's IP Stack is
> hooey),
I'd love to be told I'm wrong, but as I've asserted before I believe this is
Just Wrong. I know lots of firewalls put wrappers around the NT stack by
hacking a network driver, but I'm fairly sure that the IP stack is part of
the kernel - and nobody rewrites that. I've also got issues with the 'NT's
IP Stack is hooey' comment, but that's less important. It's been a _long_
time since NT had any pure TCP/IP stack problems that led to potential
compromise. I can't get my NT boxen to even flicker when I pound at them
with iptest (OpenBSD IP stack testing tool) or some of the other torture
testers.
[snip]
>
> It isn't simply a matter of buying whatever you want as long
> as you can
> do a good job administering it. As my Grandpa always said: "You can't
> make a silk purse out of a sow's ear". And as Grandma always says "
> Heads that don't listen, feel".
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
