[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Checkpoint on FreeBSD - revisited
With any OS you must take security seriously. Maybe the
default load of OpenBSD is more secure than the default load
of Solaris but that does not make it a more secure OS. Please tell
me you did some security tuning on your Sun boxes running
FW-1! If OpenBSD is so secure out of the box, why
do they maintain a security advisory page?
<http://www.openbsd.org/security.html> I don't agree with
your reasoning. Every OS has holes. It's your job to stay
on top of them.
I'm not against an OpenBSD or Linux port. I think both would be
great. I just prefer Solaris on Sun today. As for security, if
you belive ANY OS is without holes, start reading.
As for Solaris on x86, just don't do it. It's a dog!
Kevin
At 04:31 PM 9/3/99 -0700, John Horn wrote:
>On Fri, 3 Sep 1999, Kevin Mahler wrote:
>
> > I'm curious why you are not considering a Sun solution. Check Point
> > runs very well on Sun boxes with Solaris. I am a big fan of Linux but
> > we run our FW on a Sun UltraSparc 10. It works flawlessly. You can
> > purchase an Ultra 5 that will run Check Point FW-1 very well for about
> > $3.5K. This is very reasonable considering the performance and
> > reliability.
>
>Hmmm. All of my CheckPoint FW-1 boxen are Sun SPARC architectures. In
>fact, all but one are Ultras. Still, personally, I would like to see a
>port to OpenBSD over Linux. Why? Simple answer is: SECURITY! In OpenBSD
>every single line of code in every single distribution has been examined,
>individually, by programming security experts, one line at a time, for
>security flaws. Anything the slightest suspect is rejected until it is
>secure.
>
>How do I know it is secure? One of the boxes on my DMZ is a 100% default
>install of OpenBSD, via FTP from one of their canadian servers - with the
>single exception that I added ssh 1.2.27 for administration use. The
>kicker is, that machine provides public, anonymous access with full shell
>priveldges to anyone in the world. No password or other authentication
>required. Not a day goes by without someone (usually more than one
>someone) attempting to hack the root account on that box. They have tried
>everything under the sun - things from the mundane to the really bizarre.
>
>Now, you might wonder why I put such an unknown OS as OpenBSD in when
>there are other, better known Open Source OSs out there such as Linux.
>Well, initially we had a Sun SPARC server providing this anonymous shell
>access service and the root account was broken in less than one day.
>Obviously, that will not do. We hastily jerked the Sun box off wire and
>replaced it with the OpenBSD machine. That was almost two years ago.
>Still, not a single breakin, despite literally hundreds, if not
>thousands, of attempts. I never, ever, set even a Sun Solaris FW-1 system
>without extensive reconfiguration for security purposes. This is simply
>not necessary with OpenBSD. Ever. Period.
>
>FWIW.
>
> >
> > Kevin
> >
> >
> > At 03:28 PM 9/3/99 -0700, you wrote:
> >
> > >On Fri, 3 Sep 1999, Iven Connary wrote:
> > >
> > > >
> > > > Is it possible to run Firewall-1 on a standard FreeBSD system -
> i.e. not
> > > > Nokia's IPSO distribution?
> > > >
> > > > Our management server croaked the other day(NT platform, go figure),
> > > and I'm
> > > > looking for a low cost(free) alternative for a new management box. I'm
> > > > leaning towards a *nix solution for stability and remote admin
> purposes.
> > > > Solaris on i386 came to mind, but the Checkpoint website indicates
> that
> > > only
> > > > SPARC architecture is supported. FreeBSD seems like the only potential
> > > > alternative.
> > > >
> > > > This question has been asked before on this list(~1 year ago), but I'm
> > > > hoping by now someone might have a definitive answer on whether or
> not it
> > > > can be done. Nokia has obviously done it, but to what extent was the
> > > kernel
> > > > source modified to make it work?
> > > >
> > > > If someone has an answer/alternative, I'd greatly appreciate it. I'd
> > > > *really* rather not have to turn back to NT. Damn I wish they'd
> write a
> > > > Linux port...
> > >
> > >A Linux port would be great. An OpenBSD port would be far greater!!!
> > >
> > >See http://www.openbsd.org to see why.
> > >
> > > >
> > > > Iven
> > > >
> > > > -------------------------------------
> > > > Iven Connary
> > > > Security Consultant
> > > > Planning Technologies Inc.
> > > > -------------------------------------
> > > >
> > > > ______________________________________________________
> > > > Get Your Private, Free Email at http://www.hotmail.com
> > > >
> > > >
> > > >
> > > >
> > >
> ==========================================================================
> > > ======
> > > > To unsubscribe from this mailing list, please see the
> instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> ==========================================================================
> > > ======
> > > >
> > >
> > >
> > >
> > >Regards:
> > >
> > >John Horn
> > >City of Tucson, IT Dept.
> > >jhorn1@desperate.ci.tucson.az.us
> > >
> > >
> > >
> > >=======================================================================
> ====
> > >=====
> > > To unsubscribe from this mailing list, please see the
> instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >=======================================================================
> ====
> > >=====
> >
> >
>
>
>
>Regards:
>
>John Horn
>City of Tucson, IT Dept.
>jhorn1@desperate.ci.tucson.az.us
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================