From owner-freebsd-questions Mon Dec 16 14:42:45 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA10115 for questions-outgoing; Mon, 16 Dec 1996 14:42:45 -0800 (PST) Received: from gdi.uoregon.edu (cisco-ts12-line3.uoregon.edu [128.223.150.135]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA10076; Mon, 16 Dec 1996 14:42:27 -0800 (PST) Received: from localhost (dwhite@localhost) by gdi.uoregon.edu (8.8.2/8.6.12) with SMTP id OAA00553; Mon, 16 Dec 1996 14:42:18 -0800 (PST) Date: Mon, 16 Dec 1996 14:42:18 -0800 (PST) From: Doug White Reply-To: dwhite@resnet.uoregon.edu To: Mun Fai WONG cc: questions@freebsd.org, security@freebsd.org Subject: Re: FreeBSD vs BorderWare In-Reply-To: <32b5c1243534002@molhub.mol.net.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The security list could probably comment on this better than I. On Mon, 16 Dec 1996, Mun Fai WONG wrote: > I am given the oppurtunity to propose a Internet gateway/server with > security features in the form of firewall mechanism. The prospective > customers seem to be more keen in BorderWare as the solution for the > following reasons: > > 1) It is based on a secured OS phillosophy Ditto here. Reference the numerous CERT warnings put forward by the FreeBSD group, willingly, to fix 4.4-Lite problems. > 2) It is "commercially" backed by the vendor FreeBSD is backed by the vendor...questions is the support line. I'll bet we'll answer you faster than BorderWare could ever hope to. And it's free (less cost of Internet access). > 3) It has been tested FreeBSD is tested all around the world by organizations great and small, in addition to the rigorous developmental and pre-release testing. In addition, many of the security tools are available from vendors who release software for other OSs and architectures (fwtk comes to mind). > 4) Availability of the source to the modified kernel is impossible compared > to FreeBSD as FreeBSD is a very "open" software distribution with source > codes freely available. So? What's so bad about that? Thousands of people around the world can look at the guts of FreeBSD? What's so insecure about that? if there's a problem, someone will notice it and submit a fix. With commerical applications, there may be a problem, but you won't be able to find where and how to fix it because you won't know the actual root of the problem. If there's a problem with FreeBSD, you can find it, fix it, submit the patch, and see the patch reviewed, committed, and a fix or workaround available in a short amount of time. Commercial software, you're waiting for the next release, which could be months away. > 5) It does VPN, NAT and Secured Server Network (SSN, vs DMZ) Add on tools can implement NAT, but the others I'm not so sure about since I'm not a serious security guru. > So, I really like to get a frank opinion/experience/suggestions on how > people rate FreeBSD 2.1 onwards against BorderWare etc in terms of security > features. The security list (and even -isp) can give you reactions. Hope this note helps. You have the common misconception that commercial implentations are inherently 'better' than publicly available ones -- a misconception that you need to dispel. Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major