Date: Fri, 6 Dec 1996 10:51:00 -0600
From: "Hicks, Rick" 
Subject: RE: Why would someone want an NT firewal

>1) We only have 3 Unix computers on our campus.  I manage one of them,
>and after two years still know very little about it.  Yes, if I spent
>"enough time" on it I would probably be a Unix expert by now, but I   
don't
>want to spend that much time, nor do I have the option of spending that
>much time on it.

Wow, how did you become an NT expert so fast?  Two years with UNIX and   
nothing; but suddenly you're an NT expert?

>2) We don't want to hire a rocket scientist to manage our firewall.

Sure, but you don't want an uneducated person doing it either.  Ease of   
use should not top the list when you're shopping for a firewall, security   
should.  What good is it to allow others to change things on the firewall   
easily if they do not know the implications of what their doing?

BTW, UNIX firewalls are just as easy to administer as any NT firewall, so   
this whole issue may be moot.  How come you're boss and staff can use an   
NT admin tool and not an X admin tool?  The applications are exactly the   
same, they just use a different window manager.

>Because our firewall is on an NT platform and has a good GUI, I can be
>gone for a couple of weeks and even my boss, a manager, can sit down and
>make changes to the firewall comfortably.  Several other people in the
>computing department with the password could do the same if they had to.   

>After two years, nobody else could sit down to my Solaris box and do
>anything except manage to shut things down.

First, I think you're confusing the term 'good GUI' with 'familiar GUI'.   
 NTs GUI is no better than X, in fact  until NT 4.0 it wasn't even close;   
X was and still is, in my opinion, a better GUI.

I am already on my soapbox, but allow me to stand a little taller for a   
moment. ;-)

NT is not easier than Unix to learn or administer.  People see the   
'familiar' interface and feel secure, but how much do they really know   
about NT?  Do they know all the intricacies of the registry and the ini   
files?  Do they understand the filesystem security (if using NTFS) and   
the shortcomings of it?  What about DLL management?

I have taught people how to use Unix in the same amount of time it took   
to show them NT.  Don't let the interface fool you into thinking that you   
know the system, its much more complicated than that.

>3) At the time of my research a year ago, most mainstream firewalls ran
>on minicomputer-class machines like Sun Sparc, HPUX, AIX.  For an
>educational site with good discounts, a platform like that ran around
>$15,000.  We put our firewall on a well-endowed NT PC for $5,000.
>Hardware and software maintenance is also much cheaper

A valid point, cost is always an issue.  But, look at it this way:  What   
is the cost of a security breach?  If our systems are down most our   
business comes to a halt, and I think this applies to all of us.  When   
our workers cannot work and orders can't be entered or shipped that costs   
us 100's of thousands of dollars every hour they are standing around.   
 Wow, doesn't that $15,000 seem cheap now!

I'm not trying to say that you're firewall is inherently insecure, but   
from what you have disclosed on this list it isn't what I consider a   
secure environment.  You seem to have placed price and ease of use above   
security concerns, and that should not happen.  If you truly know NT   
security better than Unix then I guess you made a valid decision, but too   
many people think they know NT when all they really know is that   
'familiar' interface.  It takes just as much time and effort to know NT   
security as it does Unix.  I really wish more people could see this fact,   
but perception is reality I guess, and Microsoft has control over our   
perceptions.


Rick

________________________________________________
Rick Hicks
Systems Specialist
Hussmann Corporation
rhicks@hussmann.com
http://www.hussmann.com