On Fri, 1 Feb 2002, Marc Sahr wrote: > Well, it may be free, but consider this: Linux is open source, right?
That's most of the point of using it, not price. > Anyone who wants to can figure out the holes that exist (and yes, they > do exist) and exploit them, since the source is available to all. This If you think that original source code is a requirement for finding security holes, you really ought to look at how many holes are found in closed source OS' - Solar Designer's NT syscall audit should be a good place to start. > is of course true with ANY firewall. A programmer that writes code for a > specific firewall product would know the holes that exist, and could > exploit them. An administrator with the source code can however do two things that an administrator without the source code has a much, much more difficult time doing: (a) (S)/He can audit the source code for common programming errors. (b) (S)/He can remove all the code that isn't necessary for his particular implementation. > Bottom line: No product is foolproof, they all have their repective > strengths and weaknesses. But when I put my company's (or my clients') > data on the line I go with mainstream, recognizable products: Microsoft, > Cisco, Dell, Compaq, etc. Linux as a firewall or server platform? It's Ever sniffed Compaq's proprietary protocol to see what information it leaks about your machines? Ever counted the number of bugs in Microsoft's OS or Web server? Looked into CDP? Names don't provide assurance except for pencil pushers- history and engineering provide a much better platform for assurance than any name. > OK for your home network, but not for real business application. Yes > some have done this, yes IBM is now promoting it (so what?) but who > cares? Free? You get what you pay for. Having run most of the large commercial firewall products on the market in the past, as well as a good number of Open Source products (including both in the primary protection role for a multi-billion dollar enterprise,) I can assure you that the bug rate is higher in most of the commercial products. "You get what you pay for" may be true in terms of marketing features or interfaces, but it certainly isn't in terms of assurance and security. Start asking where all that money you're paying is going- you'll find marketing and developing "new features" much more often than you'll find QA or "independent code audit." Yep, "You get what you pay for," but you're paying for marketing, tradeshows, advertising and GUIs, not security features. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
