[fw-wiz] Firewall Throughput

Aaron Turner aturner@vicinity.com
Wed, 13 Sep 2000 16:05:52 -0700 (PDT)


On Wed, 13 Sep 2000, Robert Purdy wrote:

> > Do yourself a favour and stay ignorant of the development methodology
> > that goes on "behind the scenes" with Linux.  What are they now,
> > 2.4.pre34-test83, and still making major architectural changes inside it.
> > That's *insane*.  Sure, Solaris is stable, but you can't strap it down
> > as securely as you can BSD, plus you get source code for BSD.
> 
> 
> Thats great, I can get the source code for BSD.... well I know I have 2
> months and $16,000 dollars to loose in down time while I pour over BSD code
> to make sure its safe to use.  Don't get me wrong; I am an avid fan of the
> GNU project and of Linux, (I run it at home as my firewall), but the idea of
> "source code being available" as an argument dosen't sit with me.

Not to split hairs, but Free/Open/NetBSD aren't part of the GNU or 
Linux projects.  They are licensed under the BSD Lic which has simularties
and major differences with the GPL.

> Purely because business' don't have the time or capital to pay someone to
> got over the code and check it.  

At least you have the option should you find the time/$$$.

> I know 15-25yo males with a lot of spare
> time do, and they find holes.  Whats to say the 18yo Joe hasn't found a hole
> in the BSD code and its exploiting it left right and center? (There is a
> flip side to the argument for this that there could be a hole in CP or PIX
> that is unreported)

One should point out that the BSD derivatives and especially OpenBSD have
shown themselves to have *far* fewer exploits than commercial OSes like
Solaris or NT.  OpenBSD hasn't had a published remote root exploit in like
3 years- even though the code is freely available.  The reason for this is
becuase the OpenBSD team *does* a security audit for all their code-
they're actually quite religous about it.  You might be able to argue
their methodology, but you can't argue the results.

> At least with closed code its going to take something more than a script
> kiddie or someone with time on thier hands to break it.

Also with closed source code you're locked into the ability of the vendor
to provide a fix which often takes weeks or months.  Open source code from
what I see tends to be fixed much quicker than commercial software.

However, in general, from the "non-scientific" reasearch I've seen done by
sites like SecurityFocus there is little truth that either closed source
or open source generates more secure code.  Both of them *in general* seem
to have roughly the same.  There are of course exceptions like OpenBSD and
MacOS.

> I dunno, maybe I am off the beaten track, but I certainly prefer someone to
> shout at when things turn to custard.  And strangly enough so do the people
> that pay my fees.

Well shouting at some tech support guy who probably doesn't know how to
write a line of code him/herself may feel really good (I've done it
myself) the reality is that it doesn't really help me any.  I'd much
rather have the email address of the author and find out what's going on
(nicely).  My experiance has been that they are very eager to help and
generally more capable then their commercial counterparts.

My opinion is that neither open or closed generates more secure code
inheriently. That only happens by doing security centric code reviews, ala
OpenBSD. OSes like Linux, Solaris, and NT all have shown that they tend to
have a lot of security holes.  However, open source seems to have an
advantage when it comes to fixing them since you're not held hostage by
the vendor to fix it.  (A friend of mine fixed the recent wu-ftpd exploit
a few months ago before the wu-ftpd team did.)

Regards,
Aaron

PS. Actually I love Linux and use it all the time for just about
everything, but I've got to admit that OpenBSD is the most secure OS out
there, hands down.

-- 
Aaron Turner        aturner@vicinity.com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com