SLUG Mailing List Archives
RE: what users want (was RE: [SLUG] hrmm.. go Telstra)
- To: slug@xxxxxxxxxxx
- Subject: RE: what users want (was RE: [SLUG] hrmm.. go Telstra)
- From: John Wiltshire <jw@xxxxxxxxxxx>
- Date: Sat Aug 26 23:25:43 2000
- Return-receipt-to: John Wiltshire <jw@xxxxxxxxxxx>
From: Jon Biddell [mailto:jon@xxxxxxxxx]
> So we'll let Mr Consultant install his M$ product (they don't want IT
> to have administrative control over it), then when I break it several
> times, maybe they'll see my point.
Actually, Checkpoint or FW-1 pretty much toast any Microsoft code (they
don't trust it) and use their own TCP/IP layers and packet filtering
mechanisms. About the only thing they use NT for is the UI and the NTLM
I wouldn't bother breaking it. You'll end up being thought a troublemaker
and no one will listen to your opinions, not to mention you'll get a black
flag as a potential hacker. Write a report saying you believe it is a
"higher risk solution" with "potential for information leakage and/or loss"
to your boss and keep a copy. If something ever happens you bring out the
report and say "I told you so" quickly followed by "I've planned for this
contingency and can implement a secure alternative as soon as you want it".
> Oh, and the fully side of all of this - the M$ solution that was
> demonstrated incurred a performance hit when "authenticating" through
> the firewall..... They had been running for a week with the Linux one
> installed and didn't even realise it.
Not wanting to defend the solution, but it was probably doing a lot more
than the IPChains one I asssume you implemented. If they were doing user
level authentication then there is no way you are going to avoid a
performance hit on any OS. Of course the hit might be greater depending on
which OS you are authenticating against.