[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Checkpoint on FreeBSD - revisited

To: Kevin Mahler <kmahler@kmahler.com>
Subject: Re: [FW1] Checkpoint on FreeBSD - revisited
From: John Horn <jhorn1@desperate.ci.tucson.az.us>
Date: Fri, 3 Sep 1999 16:31:32 -0700 (MST)
Cc: fw-1-mailinglist@lists.us.checkpoint.com

On Fri, 3 Sep 1999, Kevin Mahler wrote:

> I'm curious why you are not considering a Sun solution.  Check Point
> runs very well on Sun boxes with Solaris.  I am a big fan of Linux but
> we run our FW on a Sun UltraSparc 10.  It works flawlessly.  You can
> purchase an Ultra 5 that will run Check Point FW-1 very well for about
> $3.5K.  This is very reasonable considering the performance and
> reliability.

Hmmm. All of my CheckPoint FW-1 boxen are Sun SPARC architectures. In
fact, all but one are Ultras. Still, personally, I would like to see a
port to OpenBSD over Linux. Why? Simple answer is: SECURITY! In OpenBSD
every single line of code in every single distribution has been examined,
individually, by programming security experts, one line at a time, for
security flaws. Anything the slightest suspect is rejected until it is
secure.

How do I know it is secure? One of the boxes on my DMZ is a 100% default
install of OpenBSD, via FTP from one of their canadian servers - with the
single exception that I added ssh 1.2.27 for administration use. The
kicker is, that machine provides public, anonymous access with full shell
priveldges to anyone in the world. No password or other authentication
required. Not a day goes by without someone (usually more than one
someone) attempting to hack the root account on that box. They have tried
everything under the sun - things from the mundane to the really bizarre.

Now, you might wonder why I put such an unknown OS as OpenBSD in when
there are other, better known Open Source OSs out there such as Linux.
Well, initially we had a Sun SPARC server providing this anonymous shell
access service and the root account was broken in less than one day.
Obviously, that will not do. We hastily jerked the Sun box off wire and
replaced it with the OpenBSD machine. That was almost two years ago.
Still, not a single breakin, despite literally hundreds, if not
thousands, of attempts. I never, ever, set even a Sun Solaris FW-1 system
without extensive reconfiguration for security purposes. This is simply
not necessary with OpenBSD. Ever. Period.

FWIW.

> 
> Kevin
> 
> 
> At 03:28 PM 9/3/99 -0700, you wrote:
> 
> >On Fri, 3 Sep 1999, Iven Connary wrote:
> >
> > >
> > > Is it possible to run Firewall-1 on a standard FreeBSD system - i.e. not
> > > Nokia's IPSO distribution?
> > >
> > > Our management server croaked the other day(NT platform, go figure), 
> > and I'm
> > > looking for a low cost(free) alternative for a new management box.  I'm
> > > leaning towards a *nix solution for stability and remote admin purposes.
> > > Solaris on i386 came to mind, but the Checkpoint website indicates that 
> > only
> > > SPARC architecture is supported.  FreeBSD seems like the only potential
> > > alternative.
> > >
> > > This question has been asked before on this list(~1 year ago), but I'm
> > > hoping by now someone might have a definitive answer on whether or not it
> > > can be done.  Nokia has obviously done it, but to what extent was the 
> > kernel
> > > source modified to make it work?
> > >
> > > If someone has an answer/alternative, I'd greatly appreciate it.  I'd
> > > *really* rather not have to turn back to NT.  Damn I wish they'd write a
> > > Linux port...
> >
> >A Linux port would be great. An OpenBSD port would be far greater!!!
> >
> >See http://www.openbsd.org to see why.
> >
> > >
> > > Iven
> > >
> > > -------------------------------------
> > > Iven Connary
> > > Security Consultant
> > > Planning Technologies Inc.
> > > -------------------------------------
> > >
> > > ______________________________________________________
> > > Get Your Private, Free Email at http://www.hotmail.com
> > >
> > >
> > >
> > > 
> > ========================================================================== 
> > ======
> > >      To unsubscribe from this mailing list, please see the instructions at
> > >                http://www.checkpoint.com/services/mailing.html
> > > 
> > ========================================================================== 
> > ======
> > >
> >
> >
> >
> >Regards:
> >
> >John Horn
> >City of Tucson, IT Dept.
> >jhorn1@desperate.ci.tucson.az.us
> >
> >
> >
> >=========================================================================== 
> >=====
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >=========================================================================== 
> >=====
> 
> 

Regards:

John Horn
City of Tucson, IT Dept.
jhorn1@desperate.ci.tucson.az.us

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] hole in secure-remote VPN client?
Next by Date: Re: [FW1] Checkpoint on FreeBSD - revisited
Prev by thread: Re: [FW1] Checkpoint on FreeBSD - revisited
Next by thread: Re: [FW1] Checkpoint on FreeBSD - revisited
Index(es):
- Date
- Thread