From: Jon Biddell [mailto:[EMAIL PROTECTED]]
[snip]
> So we'll let Mr Consultant install his M$ product (they don't want IT
> to have administrative control over it), then when I break it several
> times, maybe they'll see my point.
Actually, Checkpoint or FW-1 pretty much toast any Microsoft code (they
don't trust it) and use their own TCP/IP layers and packet filtering
mechanisms. About the only thing they use NT for is the UI and the NTLM
authentication stuff.
I wouldn't bother breaking it. You'll end up being thought a troublemaker
and no one will listen to your opinions, not to mention you'll get a black
flag as a potential hacker. Write a report saying you believe it is a
"higher risk solution" with "potential for information leakage and/or loss"
to your boss and keep a copy. If something ever happens you bring out the
report and say "I told you so" quickly followed by "I've planned for this
contingency and can implement a secure alternative as soon as you want it".
> Oh, and the fully side of all of this - the M$ solution that was
> demonstrated incurred a performance hit when "authenticating" through
> the firewall..... They had been running for a week with the Linux one
> installed and didn't even realise it.
Not wanting to defend the solution, but it was probably doing a lot more
than the IPChains one I asssume you implemented. If they were doing user
level authentication then there is no way you are going to avoid a
performance hit on any OS. Of course the hit might be greater depending on
which OS you are authenticating against.
John Wiltshire
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
