[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Checkpoint on FreeBSD - revisited

To: Kevin Mahler <kmahler@kmahler.com>
Subject: Re: [FW1] Checkpoint on FreeBSD - revisited
From: John Horn <jhorn1@desperate.ci.tucson.az.us>
Date: Tue, 7 Sep 1999 10:05:29 -0700 (MST)
Cc: fw-1-mailinglist@lists.us.checkpoint.com

On Sat, 4 Sep 1999, Kevin Mahler wrote:

> With any OS you must take security seriously.  Maybe the
> default load of OpenBSD is more secure than the default load
> of Solaris but that does not make it a more secure OS.  Please tell
> me you did some security tuning on your Sun boxes running
> FW-1!  If OpenBSD is so secure out of the box, why
> do they maintain a security advisory page?
> <http://www.openbsd.org/security.html>  I don't agree with
> your reasoning.  Every OS has holes.  It's your job to stay
> on top of them.

There has as yet never been an OS developed without holes. While it is
true that OpenBSD has only a tiny fraction of the number of holes that
Solaris on SPARC has, it still has holes. I usually spend several days
combing through every single line of every single S and K script,
/etc/inittab and many other things before I launch a new firewall. And all
this after running Danny Farmer's titan script and installing a few
of my own 'C' and Perl programs - just in case. 

If there was an OpenBSD port would I use it in every case? No, it hasn't
SMP support. Is it significantly more secure 'out of the box' than
Solaris? Unquestionably!

The National Security Agency and Defense Intelligence Agency consider Wang
Federal (almost tied by XTS Xenix) to be the most secure OS 'on the
planet', their quote, not mine. Don't know if you ever used Wang Federal,
but I'll tell you this, it is secure. Are there holes? Almost certainly. I
know that one was found several years ago. The fact that none have been
found since doesn't mean there aren't any. Still, Wang Federal is not, to
my mind, a really usable OS. The price of that security is usability. The
isolated rings of access levels employed are a high price to pay. 

Still, I would trust a default install to be far more secure than any
other Operating System on Earth except OpenBSD. Wang Federal costs a mint.
OpenBSD is free. Having had several Solaris systems broken into, systems
that were up to date with security patches, I know at this point in time
that Solaris is less secure than Wang Federal or OpenBSD. I have witnessed
both of the latter defeat energetic attempts to break in. 

Don't get me wrong though. I like Solaris a lot. I have had a Sun
workstation on my desk for years and have every intention of continuing to
do so - till they pry it from my cold dead fingers. Solaris is flexible
and powerful and gives me the greatest freedom and enjoyment of any
commercial OS. But I harbor no illusions about its security. It is NOT
very secure - unless you purchase the 'secure' version from Sun that is.

Almost all of my larger servers are Solaris - particularly the SMP ones.
But when it comes down to the line - when I absolutely, positively have
to have SECURITY in capital letters, today I always select OpenBSD. It is
far more secure than you believe it is.

For this reason I would prefer to have an OpenBSD port of FW-1 over a
Linux port of FW-1. It is security we pursue when we install a Firewall.
There simply would be fewer variables involved for CheckPoint to make such
a port with OBSD than Linux.

> 
> I'm not against an OpenBSD or Linux port.  I think both would be
> great.  I just prefer Solaris on Sun today.  As for security, if
> you belive ANY OS is without holes, start reading.
> 
> As for Solaris on x86, just don't do it.  It's a dog!
> 
> Kevin
> 
> 
> At 04:31 PM 9/3/99 -0700, John Horn wrote:
> >On Fri, 3 Sep 1999, Kevin Mahler wrote:
> >
> > > I'm curious why you are not considering a Sun solution.  Check Point
> > > runs very well on Sun boxes with Solaris.  I am a big fan of Linux but
> > > we run our FW on a Sun UltraSparc 10.  It works flawlessly.  You can
> > > purchase an Ultra 5 that will run Check Point FW-1 very well for about
> > > $3.5K.  This is very reasonable considering the performance and
> > > reliability.
> >
> >Hmmm. All of my CheckPoint FW-1 boxen are Sun SPARC architectures. In
> >fact, all but one are Ultras. Still, personally, I would like to see a
> >port to OpenBSD over Linux. Why? Simple answer is: SECURITY! In OpenBSD
> >every single line of code in every single distribution has been examined,
> >individually, by programming security experts, one line at a time, for
> >security flaws. Anything the slightest suspect is rejected until it is
> >secure.
> >
> >How do I know it is secure? One of the boxes on my DMZ is a 100% default
> >install of OpenBSD, via FTP from one of their canadian servers - with the
> >single exception that I added ssh 1.2.27 for administration use. The
> >kicker is, that machine provides public, anonymous access with full shell
> >priveldges to anyone in the world. No password or other authentication
> >required. Not a day goes by without someone (usually more than one
> >someone) attempting to hack the root account on that box. They have tried
> >everything under the sun - things from the mundane to the really bizarre.
> >
> >Now, you might wonder why I put such an unknown OS as OpenBSD in when
> >there are other, better known Open Source OSs out there such as Linux.
> >Well, initially we had a Sun SPARC server providing this anonymous shell
> >access service and the root account was broken in less than one day.
> >Obviously, that will not do. We hastily jerked the Sun box off wire and
> >replaced it with the OpenBSD machine. That was almost two years ago.
> >Still, not a single breakin, despite literally hundreds, if not
> >thousands, of attempts. I never, ever, set even a Sun Solaris FW-1 system
> >without extensive reconfiguration for security purposes. This is simply
> >not necessary with OpenBSD. Ever. Period.
> >
> >FWIW.
> >
> > >
> > > Kevin
> > >
> > >
> > > At 03:28 PM 9/3/99 -0700, you wrote:
> > >
> > > >On Fri, 3 Sep 1999, Iven Connary wrote:
> > > >
> > > > >
> > > > > Is it possible to run Firewall-1 on a standard FreeBSD system - 
> > i.e. not
> > > > > Nokia's IPSO distribution?
> > > > >
> > > > > Our management server croaked the other day(NT platform, go figure),
> > > > and I'm
> > > > > looking for a low cost(free) alternative for a new management box.  I'm
> > > > > leaning towards a *nix solution for stability and remote admin 
> > purposes.
> > > > > Solaris on i386 came to mind, but the Checkpoint website indicates 
> > that
> > > > only
> > > > > SPARC architecture is supported.  FreeBSD seems like the only potential
> > > > > alternative.
> > > > >
> > > > > This question has been asked before on this list(~1 year ago), but I'm
> > > > > hoping by now someone might have a definitive answer on whether or 
> > not it
> > > > > can be done.  Nokia has obviously done it, but to what extent was the
> > > > kernel
> > > > > source modified to make it work?
> > > > >
> > > > > If someone has an answer/alternative, I'd greatly appreciate it.  I'd
> > > > > *really* rather not have to turn back to NT.  Damn I wish they'd 
> > write a
> > > > > Linux port...
> > > >
> > > >A Linux port would be great. An OpenBSD port would be far greater!!!
> > > >
> > > >See http://www.openbsd.org to see why.
> > > >
> > > > >
> > > > > Iven
> > > > >
> > > > > -------------------------------------
> > > > > Iven Connary
> > > > > Security Consultant
> > > > > Planning Technologies Inc.
> > > > > -------------------------------------
> > > > >
> > > > > ______________________________________________________
> > > > > Get Your Private, Free Email at http://www.hotmail.com
> > > > >
> > > > >
> > > > >
> > > > >
> > > > 
> > ==========================================================================
> > > > ======
> > > > >      To unsubscribe from this mailing list, please see the 
> > instructions at
> > > > >                http://www.checkpoint.com/services/mailing.html
> > > > >
> > > > 
> > ==========================================================================
> > > > ======
> > > > >
> > > >
> > > >
> > > >
> > > >Regards:
> > > >
> > > >John Horn
> > > >City of Tucson, IT Dept.
> > > >jhorn1@desperate.ci.tucson.az.us
> > > >
> > > >
> > > >
> > > >======================================================================= 
> > ====
> > > >=====
> > > >      To unsubscribe from this mailing list, please see the 
> > instructions at
> > > >                http://www.checkpoint.com/services/mailing.html
> > > >======================================================================= 
> > ====
> > > >=====
> > >
> > >
> >
> >
> >
> >Regards:
> >
> >John Horn
> >City of Tucson, IT Dept.
> >jhorn1@desperate.ci.tucson.az.us
> 
> 



Regards:

John Horn
City of Tucson, IT Dept.
jhorn1@desperate.ci.tucson.az.us



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] daemon
Next by Date: Re: [FW1] Looking for TCP based VPN
Prev by thread: Re: [FW1] Checkpoint on FreeBSD - revisited
Next by thread: [FW1] Firewall-1 and DHCP (cable modem)
Index(es):
- Date
- Thread