Re: Nokia/Checkpoint firewall

[Jerald Josephs <jerald.josephs () iprg nokia com>]

Josef Pojsl wrote:

> Jerald,
>
> many thanks for your input. I was especially concerned about the version
> of FreeBSD that is your product based on. I was not able to find
> any reference about it on your web site - have I missed something?

I don't believe that it is posted on our web site. That was my contribution from
within.

> To restate my position, it comes from my strong belief that open systems
> are more secure. I did not mean to impeach anyone's competence personally.
> Still, IMHO, fixes and enhancements given to public are likely to be
> more secure. For any security fixes and/or enhancements made by Nokia,
> I would expect one of the following to happen:
>
> 1) You send them to the FreeBSD team that will eventually create patches
>    or, in the case of new features, (a) port(s). This is my favourite
>    as the authors of the OS know their system better than anyone.

It is possible that the FreeBSD team might be able to integrate the changes that we
make to IPSO, but I sincerely doubt it. The core of IPSO's TCP/IP deviates from the
FreeBSD code base since 2.2.6.

IPSO is an operating that is different from FreeBSD as much as SunOS is.

> 2) If you want to keep your changes private and base your business
>    on them, you transparently explain what exactly has been changed
>    or added and how (ideally, you would make the sources public,
>    eventually still keeping your intelectual property).

Not a bad suggestion, but certainly one that would be made by others within
the organization. :-)

> With full respect to the skills and commitment of your team,
> I can't fully trust general statements about higher
> security of your product unless there is a chance to look at it in detail.

That makes sense to me.
Perhaps I would have been wiser to state that IPSO is a hardened operating system that
could be compared to what you would have if you installed the Solaris Core + enough
packages, in order to run ASET and BSM, preparing the system to be a firewall.

I would like to refer to this as a hardened OS. This, and the known FreeBSD TCP/IP
security holes that have been plugged up, are the two things that I was thinking of
when I made my statement that IPSO is more secure than FreeBSD.

Cheers,  Jerald

> With regards,
> Josef
>
> On Fri, Feb 04, 2000 at 09:02:17PM -0800, Jerald Josephs wrote:
> > IPSO is based upon FreeBSD 2.2.6.
> > All known security issues in FreeBSD have been incorporated into IPSO
> > as we have become aware of them.
> >
> > Whereas FreeBSD is an effort supported by contributions from many sources,
> > IPSO development is a concerted effort under the focused attention of a group
> > of engineers that include some who have been involved in UNIX development
> > since the beginning of UNIX.
> >
> > I respect your concern, Josef, however, IPSO is MORE SECURE than any
> > implementation of FreeBSD that you can obtain.
> >
> > You suggest that Nokia is not competent when it comes to OS development
> > because you assume that the Security Platforms are engineered by those who
> > are responsible for other Nokia products, such as mobile phones.  Perhaps you
> > don't recall that Nokia acquired Ipsilon Networks in 1997 and the IP in IP650
> > means Ipsilon. The Nokia Security Platform continues to be developed under
> > the direct supervision of the original core group that made up Ipsilon Networks.
> >
> > I am one of them.
> >
> > Sincerely,
> >
> > --- Jerald Josephs

--
Jerald.Josephs () iprg nokia com  (650) 625-2175 (office)
Manager Proactive Services
Nokia IP Routing Group   http://www.iprg.nokia.com
Customer Support   (888)477-9824 or (650)625-2525

Attachment: jerald.josephs.vcf
Description: Card for Jerald Josephs