RE: what users want (was RE: [SLUG] hrmm.. go Telstra)

[John Wiltshire <jw@xxxxxxxxxxx>]

From: Jon Biddell [mailto:jon@xxxxxxxxx]

[snip]

> So we'll let Mr Consultant install his M$ product (they don't want IT
> to have administrative control over it), then when I break it several
> times, maybe they'll see my point.

Actually, Checkpoint or FW-1 pretty much toast any Microsoft code (they
don't trust it) and use their own TCP/IP layers and packet filtering
mechanisms.  About the only thing they use NT for is the UI and the NTLM
authentication stuff.

I wouldn't bother breaking it.  You'll end up being thought a troublemaker
and no one will listen to your opinions, not to mention you'll get a black
flag as a potential hacker.  Write a report saying you believe it is a
"higher risk solution" with "potential for information leakage and/or loss"
to your boss and keep a copy.  If something ever happens you bring out the
report and say "I told you so" quickly followed by "I've planned for this
contingency and can implement a secure alternative as soon as you want it".


> Oh, and the fully side of all of this - the M$ solution that was
> demonstrated incurred a performance hit when "authenticating" through
> the firewall..... They had been running for a week with the Linux one
> installed and didn't even realise it.

Not wanting to defend the solution, but it was probably doing a lot more
than the IPChains one I asssume you implemented.  If they were doing user
level authentication then there is no way you are going to avoid a
performance hit on any OS.  Of course the hit might be greater depending on
which OS you are authenticating against.

John Wiltshire