Firewall Wizards: Re: Email Appliances

[Paul Robertson <proberts () patriot net>]

On Fri, 2 Aug 2002, Richard Threadgill wrote:

> > Put them *behind* a modern, well-maintained, well-written mail system.
> > (my personal choice is Postfix- IMO, Postfix, Qmail and Exim are the best 
> > choices in that order.)  I place the order based on how much I like using 
> > each product, but Postfix also has the management FUD-reducer of also 
> > being called the "IBM Secure Mailer" if you have one of those layer 8[1] 
> > problems that's Open Source adverse.
> When we built Webshield, the first rev was based on qmail
> (postfix did not yet exist), and the followup product was based
> on postfix.
But that doesn't help the real problem with vendor products- if I _need_ a 
fix/upgrade/patch/function, you're not going to support my going in and 
fooling around with the product- for instance, a couple weeks ago, I 
needed a feature added to a snapshot release of Postfix- I've yet to see a 
vendor support a new feature the day a patch is released on something they 
don't maintain themselves- especially if I'm putting the patch on before 
the maintainer even issues a patched version.

If I call the vendor and say "I'm specifically worried about this libc 
resolver issue, mind if I upgrade it myself and call you for support if I 
have issues?" I'm going to get a "Noway" answer 9 times out of 10, and the 
10th person is going to give me the same level of support they'd give 
their nearest competitor at twice the cost.

Mail systems these days needs some agility to react to issues, and the 
test cycle for products is simply longer than an immediate threat or need 
can coexist with.  Frankly vendors would be foolish to adopt an upgrade 
cycle that potentially could affect stability without a long test cycle.  

That ability to make a point choice (my company/server/unit/whatever needs 
this in the next 5 minutes and I can babysit it to make sure it doesn't 
screw up.) is distinctly counter to the strategic function choice (I want 
a product that does $foo to mail because I'm getting too my $bar and the 
occasional flood of $baz.)

I'm saying that I find it, and have found it necessary to have that 
agilility out in front of the product set- regardless of the components 
(though I tend to look for hetrogenous things- putting Postfix in front of 
Postfix doesn't provide as much protection as putting Qmail in front of 
Postfix, for instance- putting anything in front of Exchange provides 
lots of protection ;) .)


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards