Firewall Wizards: Re: Additional TPC/IP stack

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Jyri Kaljundi, sie wrote
> On Wed, 5 Nov 1997, Franco RUGGIERI wrote:
>
> >     Do you feel that such additional checking in an ad hoc IP stack is
> > valuable?
> Well Windows NT TCP/IP stack has probably had some security problems (like
> wrong reaction to OOB and other packets), and now that Milkyway has
> rewritten the whole NT TCP/IP stack for their firewall, at least they have
> said that there are other problems with it. So if you can, having a stack
> that has been written considering security is certainly better than what
> you get with any operating system. This is one thing you have to consider
> when choosing a fw product, but certainly having a robust and secure TCP
> stack only won't help so much when the OS itself is really buggy.
What I find quite amazing is that everyone here appears to be ready to
believe that it is robust/stable/secure.  I've yet to read anything that
would make me believe it was any better than the TCP/IP found on Linux
or Solaris a few years ago or Microsoft today (they wrote it from scratch
too and have literally spent several years making up for it).

Did they use the BSD TCP/IP (or someone else's) as a base ?  Have they
only implemented IP and not TCP/UDP/ICMP ?

Whilst they have made claims about being able to do it from scratch has
meant they can do it with security as a focus, what does that mean for
its ability to operate in a heterogenous environment like the Internet ?

In today's market, do you want a TCP/IP stack that is full of new bugs
(but written with security in mind) or one which works and is more of a
 known quantity ?  Do I need one of those new stacks on my FreeBSD
workstation or my Win95 workstation ?

About the only benefit I can see is that the packets which do manage
to exploit a problem must find a problem which exists in both the NT
stack and the new one, rather than just one.

Darren