From owner-freebsd-questions Mon Mar 5 14: 6:12 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 9A82637B71E for ; Mon, 5 Mar 2001 14:05:44 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id XAA68291; Mon, 5 Mar 2001 23:05:19 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3AA40D9F.D60D7796@eboa.com> Date: Mon, 05 Mar 2001 23:05:19 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Ted Mittelstaedt Cc: bcohen@bpecreative.com, freebsd-questions Subject: Re: FreeBSD Firewall vs. Black Ice References: <007001c0a543$53d90fa0$1401a8c0@tedm.placo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ted Mittelstaedt wrote: > > ... > Right, but you were talking about cost-benefit as though having a cracked > site is a cost that has to be considered. What I'm trying to point out is > that there's no excuse for having a cracked site - ie: the cost of a cracked > site is a bogus cost because el-cheapo firewalling that isn't half-bad is > available to anyone, no matter how little they know about firewalling. That it's inexcusable I agree. But as you yourself pointed out, that el-cheapo thingum will not help in the case of a DoS attack. Nor with, say, a DNS highjacking. But worse is that we're dealing with humans. Now as, whatshisname, once said in the Devil's DP dictionary, all systems are perfect as long as they're clear from user interference. Or words to that effect. I could look it up ;). I myself had forgotten to disable the anonymous FTP access I'd enabled about a year ago. For whatever reason. It took them about a year to find I'd left the backdoor unlocked. But when those punks did, that partition was filled with crap in no time. IOW no firewall will help you against human error. Then, too, there are human programmers to be considered. Stupid mistakes can be made. Will be made. This is not to excuse cracked sites, this is to point out that a strategy needs to consider the inevitable. For it doesn't matter how hard you try to prevent it, at the end of the day sh*t happens. It's only natural ;). Thus you need a disaster plan. You got one for failed disks, but have you got one for a failed site? When you operate on the basis that it just might happen, your perception shifts. Then it becomes a broader problem to attack. Then it becomes a matter of risk analysis, coupled with the vaunted cost/benefit analyses. Hm . I just now remembered 'Johnny' who figured in an add on CNN a while ago. There's no protecting against a 'Johnny' like me who leaves the backdoor unlocked for about a year. That's so inconceivably stupid it just doesn't get conceived. It's rare. But it happens. Another thing that's not unheard of is fixing one bug by entering a whole new, much improved, one. > ... > lowest-end firewall solution out there. No argument there. And there. > There's a time when you have to give the customer trouble if that is what > they are asking for. If they truly want NT then provide it to the best that > it can be done and then when it falls apart, you can tell them "OK, now that > we have gone down that road and you have satisfied yourself that it's > worthless, let me do it the right way for you now" I don't really think there's another way. Just now there was a sob-story on the OpenBSD advocacy list about someone who had a nice box going. Right up until the consultants came in. The company had grown, you see. It was now ready for the *real* thing. Not many managers are strong enough to not fall into MS's lure. It's IBM all over again. But this time the price differences are way smaller. It's easier to fight a $1M proposal than a $100K one. > Think again. SBS is licensed on the SMB connections, not the network > connections, there's a difference. You can have up to 50 FILE_BASED SMB > connections to stay within the license. However, HTTP or FTP or LPR or > whatever network connections are unlimited and are not covered by the > license. In short they don't need a more expensive license. Who can say. This is MS we're talking about. Back with NT 1.0 or 3.1 as it got released it was unlimited. Then with 3.5 the first limitation got introduced, 10 simultaneous SMB connections for the workstation per licence for the NT sold as 'server'. Next that got extended to cover TCP/IP too. After that, who knows. They send me periodically some new marketing blabla over their latest and greatest licencing scheme. Nobody can keep up because your not intended to know what you're signing. Well maybe sockets are once again unlimited but unless you're a lawyer putting that in writing I'll withold judgement ;). In this case, however, I was referring to SQL Server licensing. Not to the max. number of users one is allowed to have active at the same time. If I'm not mistaken - not unheard of - then the max users bought applies to the SQL Server, too. This in turn precludes attaching it to the Internet. For that you need an unlimited SQL Server licence, which is or was not available for the SBS release. Then again, this is MS we're talking about. Who can tell? With a college I went to a MS Sales Seminar, where we were told about the latest and greatest. One of the things that cought our attention was the promise of a SQL Server Personal edition. Intended for single user use. Which was great news for it would allow us to develop for a good enough database yet deploy it even on an above average desktop PC. Well, theoretically. We're still waiting for that one. That was before the release of SQL Server 7. Two years ago? > I think that you should use a different tack. The problem with SBS is > simple - it's a giant integrated system, and if they make ONE mistake while > administering it, they trash the server. This is a new client. They're not potty trained yet ;). > Do you know what happens to a SBS server if you don't use the web-based GUI > tools to administer it and instead use the regular NT administration tools > to administer it? I'll tell you, it completely fucks it up, that's what it > does. It's not all that bad. We've got one sorta going here. Needed an SQL Server to test against. The whole webthingum doesn't even run! OK, the bloody thing crashes multiple times per day when a programmer is actually working on it. But then, so did NT4 up to SP6. NT2K is fairly stable. No wonder MS is starting to push some new technology. They're running out of critical bugs in this one ;). And that in not even 10 years. Not bad. > Most people that think they have to have NT want it because they think it > will be easier for THEM to administer, if they can just get someone a tad > more competent than themselves to set it up for them. But, I can assure > you, SBS is far more complicated to administer than a regular NT server plus > IIS and Exchange and SQL. I've seen SBS servers go into environments like > that, with people that have itchy fingers, and within a year they are so > fucked up that the only way to fix them is to write down on a piece of paper > all the usernames and passwords, copy off the share data (Word, Excel, etc > files) and completely reformat the hard disk and reinstall SBS from scratch, > then spend days reentering all the data. Not only that but a SBS server > isn't content to trash itself - all the Windows clients in the network have > to have the SBS client loaded on them, which is impossible to unload cleanly > and once it touches the client, the client won't work on anything other than > a SBS server again. Ah! You mean we were supposed to actually do that? Use the clients delivered? Sheesh. Who'ld've thought. No wonder it's so stable. Well, for a MS product, that is. The IIS we don't actually use. Well, other than to test DLL's with before shipping. And Exchange... wooh, bad juju! > It's a perpetual money-making system for companies or individuals that are > in business to install SBS, they are guarenteed at least one 40-hour server > reinstallation a year, and at $100-per-hour (which is the going rate for > MCSE's) that's a nice $4K. Line up about 20 companies like that which are > convinced that they need to have NT, and if you schedule them right you have > a nice salary for only about a half-a-year's work as long as you care to > work on SBS. (or until those companies figure out that Microsoft has this > cosy little system set up and dump NT) Yeah, but what's the fun in that? > Aaahhh, the stupidity and gullibility of the Microsoft-blinded. They're called humans. Roelof -- The de-vice site @ http://BeerIsBitter.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message