Firewall Wizards mailing list archives
Re: Additional TPC/IP stack
From: Darren Reed <darrenr () cyber com au>
Date: Mon, 10 Nov 1997 13:47:52 +1100 (EST)
In some mail I received from Jyri Kaljundi, sie wrote
On Wed, 5 Nov 1997, Franco RUGGIERI wrote:Do you feel that such additional checking in an ad hoc IP stack is valuable?Well Windows NT TCP/IP stack has probably had some security problems (like wrong reaction to OOB and other packets), and now that Milkyway has rewritten the whole NT TCP/IP stack for their firewall, at least they have said that there are other problems with it. So if you can, having a stack that has been written considering security is certainly better than what you get with any operating system. This is one thing you have to consider when choosing a fw product, but certainly having a robust and secure TCP stack only won't help so much when the OS itself is really buggy.
What I find quite amazing is that everyone here appears to be ready to believe that it is robust/stable/secure. I've yet to read anything that would make me believe it was any better than the TCP/IP found on Linux or Solaris a few years ago or Microsoft today (they wrote it from scratch too and have literally spent several years making up for it). Did they use the BSD TCP/IP (or someone else's) as a base ? Have they only implemented IP and not TCP/UDP/ICMP ? Whilst they have made claims about being able to do it from scratch has meant they can do it with security as a focus, what does that mean for its ability to operate in a heterogenous environment like the Internet ? In today's market, do you want a TCP/IP stack that is full of new bugs (but written with security in mind) or one which works and is more of a known quantity ? Do I need one of those new stacks on my FreeBSD workstation or my Win95 workstation ? About the only benefit I can see is that the packets which do manage to exploit a problem must find a problem which exists in both the NT stack and the new one, rather than just one. Darren
Current thread:
- Additional TPC/IP stack Franco RUGGIERI (Nov 07)
- Re: Additional TPC/IP stack Marcus J. Ranum (Nov 07)
- Re: Additional TPC/IP stack Jyri Kaljundi (Nov 08)
- Re: Additional TPC/IP stack Darren Reed (Nov 09)
- <Possible follow-ups>
- RE: Additional TPC/IP stack Scott Wiegel (Nov 08)