RE: Firewall Throughput

["Robert Purdy" <liteyear () ihug co nz>]

> Not to split hairs, but Free/Open/NetBSD aren't part of the GNU or
> Linux projects.  They are licensed under the BSD Lic which has simularties
> and major differences with the GPL.

Point taken, in my haste I made a mistake

> > Purely because business' don't have the time or capital to pay
> someone to
> > got over the code and check it.
>
> At least you have the option should you find the time/$$$.

Not to be disrespectful, yes companies that are worried about security
should spend the time and the money but, in reality 98%  (guessdamate) of
companies don't have time or money to fund something like that.

> code and its exploiting it left right and center? (There is a
> > flip side to the argument for this that there could be a hole
> in CP or PIX
> > that is unreported)
>
> One should point out that the BSD derivatives and especially OpenBSD have
> shown themselves to have *far* fewer exploits than commercial OSes like
> Solaris or NT.  OpenBSD hasn't had a published remote root exploit in like
> 3 years- even though the code is freely available.  The reason for this is
> becuase the OpenBSD team *does* a security audit for all their code-
> they're actually quite religous about it.  You might be able to argue
> their methodology, but you can't argue the results.

Yes, but a lot of exploits come out of poor installations and
configurations.  Those exploits that have been found as of the past
9-12months have been fundamental and exploited many firewalls.

There is a problem in that the closed nature of NT and Solaris means no-one
audits the code that forms the fundamental building blocks of the firewall
(namely the TCP/IP stack).  This is where commercial firewalls fall down;
hopefully the split of MS may go somewhere into rectifiying this.

> > At least with closed code its going to take something more than a script
> > kiddie or someone with time on thier hands to break it.
>
> Also with closed source code you're locked into the ability of the vendor
> to provide a fix which often takes weeks or months.  Open source code from
> what I see tends to be fixed much quicker than commercial software.

Checkpoint had a service pack out days after the Blackhat release @ the
conference.  Checkpoint actually contacted the guys from norway? and asked
weeks before its release what was wrong and how they could work to fix it.

> Well shouting at some tech support guy who probably doesn't know how to
> write a line of code him/herself may feel really good (I've done it
> myself) the reality is that it doesn't really help me any.  I'd much
> rather have the email address of the author and find out what's going on
> (nicely).  My experiance has been that they are very eager to help and
> generally more capable then their commercial counterparts.

Well not so in my experience.  My last trouble ticket with Checkpoint was in
NZ for a day, escialted to Aussie the next, then US; they build the exact
firewall I had and spent 2 days on the phone with me.  After that it was
escalated to Isreal where we have been sending emails back and forth over
the past month.  The problem is still not resolved but this is not thier
fault in that they cannot replicate the problem and all data I am providing
isn't pointing to anything particular.  Given that responces are about a day
apart but this would be the same if I was waiting for a post in a news group
(that may never come).

> Aaron
>
> PS. Actually I love Linux and use it all the time for just about
> everything, but I've got to admit that OpenBSD is the most secure OS out
> there, hands down.

Me to; the only reason I use NT is because customers either demand or are
bound to it.  Linux is what I want and do run at home.

I never ment this to be a flame war about Open Source, if people feel
strongly against it they should post to me and not the list.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards