Firewall Wizards mailing list archives
RE: Open Source vs. Closed Source [ was Re: Firewall Throughput ]
From: "Domenico De Vitto" <dom () devitto demon co uk>
Date: Thu, 14 Sep 2000 22:25:20 +0100
I totally agree with Chris. You need only look at the FTP-rulebase-opening bug, first found in FW1, and then in other products. How long did it take for Cisco to find (assuming a good guy didn't tell them) & then fix that one - 12 months? I'm pretty damn sure that a few blackhats were smiling for some time. Especially when you think that the bug was in these products since they added laver-7 stateful inspection....a long time ago. Conpare this to the very obscure, complex and configuration-dependant security bugs that have been found with the open source 'IP filters' in the last 12 months.... Dom -----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Chris Calabrese Sent: 14 September 2000 14:36 To: Robert Purdy Cc: Darren Reed; Patrick Darden; darren.mackay () uq net au; firewall-wizards () nfr net Subject: Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall Throughput ] I must disagree most strongly on this point. In the course of testing products that we use around here for security holes, I have discovered numerous holes in numerous closed source products. This was all done using simple testing techniques with no special equipment. I'm talking simple things like nmap scans and following up to make sure a security advisory for one system doesn't apply to others. This is a lot easier than reading the (quite voluminous) source code to FreeBSD, Linux, etc., and anyone could have discovered these holes if they tried. In almost every case, when I've reported these holes to the vendors, they were ignored. Since I am constrained in my ability to disclose these holes to the general public (for other reasons), the holes are still out there waiting to be exploited. If this was in the Open Source world, I would have produced a patch and sent it out to the world. Instead, they stand waiting for discovery malicious usu. Or perhaps they have already been discovered!?! This also matches my experience when I've worked for major software vendors. Security holes generally are only addressed if genuine customers complain about them, if the company's own IT shop complains about them, or if some certification that's needed for a big contract gets rejected because of them. Finally, if you think nobody has access to the source code just because the vendor doesn't make it available to the general public, you're sorely mistaken. You'd be amazed at how easy it is to get the source to something if you really want it (through employees, through business partners that have source, etc.). That's not to say that there aren't any problems in the Open Source model from a security standpoint, but there's no way you can convince me that closed source is safer. And don't even get me started on the implications of UCITA on the Open Source vs. proprietary issue! --Chris Robert Purdy wrote:
No offense, but I have Solaris, BSD, AIX, and Linux running here--and all of them are stable and reliable. I had one hard-used Linux server running for almost 2 years before I recently took it down for some upgrades.Do yourself a favour and stay ignorant of the development methodology that goes on "behind the scenes" with Linux. What are they now, 2.4.pre34-test83, and still making major architectural changes inside
it.
That's *insane*. Sure, Solaris is stable, but you can't strap it down as securely as you can BSD, plus you get source code for BSD.Thats great, I can get the source code for BSD.... well I know I have 2 months and $16,000 dollars to loose in down time while I pour over BSD
code
to make sure its safe to use. Don't get me wrong; I am an avid fan of the GNU project and of Linux, (I run it at home as my firewall), but the idea
of
"source code being available" as an argument dosen't sit with me. Purely because business' don't have the time or capital to pay someone to got over the code and check it. I know 15-25yo males with a lot of spare time do, and they find holes. Whats to say the 18yo Joe hasn't found a
hole
in the BSD code and its exploiting it left right and center? (There is a flip side to the argument for this that there could be a hole in CP or PIX that is unreported) At least with closed code its going to take something more than a script kiddie or someone with time on thier hands to break it. I dunno, maybe I am off the beaten track, but I certainly prefer someone
to
shout at when things turn to custard. And strangly enough so do the
people
that pay my fees. Regards, Rob Purdy _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Open Source vs. Closed Source [ was Re: Firewall Throughput ] Chris Calabrese (Sep 14)
- RE: Open Source vs. Closed Source [ was Re: Firewall Throughput ] Domenico De Vitto (Sep 16)
- <Possible follow-ups>
- Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ] amanda (Sep 16)
- Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ] Doug Hughes (Sep 18)
- Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ] ark (Sep 20)