Security Basics mailing list archives
RE: Firewall configuration statistics
From: ATD <simon () snosoft com>
Date: 24 Jun 2003 18:17:59 -0400
SKP, I don't think that you are wrong or an idiot for wanting to understand stat information. Hell, we all have marketing teams (well us that work for infosec companies do). My point to you, when I wrote to you was that your subject of interest isn't something that you can get numbers on and have them be accurate. Here are the reasons: 1-) Firewall configurations changed often. 2-) You can't possibly (nore can anyone) probe enough firewalls to get real stats So, in closing, the information you are trying to collect is just not something that I think anyone can collect in any real way. =] On Mon, 2003-06-23 at 14:00, security () rexwire com wrote:
I think its time to put this thread to rest. Since I started it I think I will be the appropriate person to do so. In summary I don't think my original point got across to most people. In part it must have something to do with the way I wrote the question and in part lack of sales or business experience of people reading this thread. My question was clearly a marketing question regarding industry statistics. IT is quiet stupid for people to say that statistics don't matter. Almost all security projects are sold because someone read a statistic or does not want to become one. As to the leaving number to sales and security to security professionals. This way of thinking is guaranteed to shutdown the company that the consultants work for. Everybody is in sales regardless of their title or position. If you are not selling you are useless to your organization regardless of how much skills you may possess. This is my $.05 $.25 and $1.00 worth -SKP -----Original Message----- From: Des Ward [mailto:des.ward () ntlworld com] Sent: Monday, June 23, 2003 1:44 PM To: security () rexwire com; justinpryzby () users sourceforge net; security-basics () securityfocus com Subject: RE: Firewall configuration statistics Right, let's try and put this one to bed. Unless you are using stats that are relevant to the industry, size and external-facing internet presence of the intended audience; the stats used are of no real intrinsic value. Industry numbers have no real intrinsic value because of this. That is both fact and experience talking. The IT industry is full of people who will be conned and those who will con. I am not saying that anyone in this list is doing this, again this is merely fact and experience. All others in the group have been guilty of is putting this point across in a different way. In summary, let the security professionals deal with security and the salesmen deal with numbers. That way everyone is happy. Just my £0.05 worth. Here's to staring another thread having finally put this one to bed :o) Des -----Original Message----- From: security () rexwire com [mailto:security () rexwire com] Sent: 20 June 2003 22:04 To: justinpryzby () users sourceforge net; security-basics () securityfocus com Subject: RE: Firewall configuration statistics Justin's reply must be the malicious reply I have ever read in this group and I hope the moderator takes notice. I was intending to get industry statistics for my marketing material and not a arbitrary number to feed to people. It comes back to my point in my last pointing. People should keep their philosophical points to themselves; no one wants them or cares for them they provide nothing to the users of this group. Please stick to experience and industry numbers they go a long way to help people. Wishing ill onto others as Justin did does not help anyone nor I guarantee it will do a lot for Justin's career. Some of the statistics I have come across are stated below; 90% of all companies that got compromised lat year had a firewall 70% of all attacks happen at the application level 25% of exploits had patch readily available -SKP -----Original Message----- From: Justin Pryzby [mailto:justinpryzby () users sourceforge net] Sent: Friday, June 20, 2003 10:34 AM To: security () rexwire com; security-basics () securityfocus com Subject: Re: Firewall configuration statistics Well, seeing as I just received duplicates of last months mail, I guess I may as well respond. My intent in giving SKP two opposite and conflicting statistics is to reveal the meaningless nature of the question. Whether marketing material says 2% of firewalls are misconfigured or 98% are doesn't matter. It is a matter of opinion, and I have given SKP my own meaningless authority to state whatever he wants. I hope I have also given him the motivation to realize that what he wants is an arbitrary number to feed to people; I want him to get neither satisfaction nor sales from publishing whatever number he decides to use. Justin On Fri, Jun 20, 2003 at 04:48:02PM +0000, security () rexwire com wrote:Thank you Greg. I totally agree. If people would just answer questionsbasedon real life experience and knowledge and leave the philosophy to the politicians I think everyone in this group will be happy. -SKP -----Original Message----- From: NC Agent [mailto:NC_Agent () kueppers-familie de] Sent: Friday, June 20, 2003 12:01 PM To: security () rexwire com; justinpryzby () users sourceforge net Cc: security-basics () securityfocus com Subject: RE: Firewall configuration statistics What you received is the reason why I will not post a serious question to the list. The list has fallen into one of opinion not fact. So folks, as SKP gets more and more frustrated, and stops using the list for serious business, maybe it has become time for us to get back to business. Just my .005 worth. Greg Kane SAIC Senior Systems Security Engineer CTSF-IA Fort Hood, TX -----Original Message----- From: security () rexwire com [mailto:security () rexwire com] Sent: Saturday, June 07, 2003 6:16 PM To: justinpryzby () users sourceforge net Cc: security-basics () securityfocus com Subject: RE: Firewall configuration statistics That makes absolutely no sense. Plus I am not looking for a philosophical answer. I was looking statistics for marketing. Does anyone know of a good reference site for firewall and other security statistics. SKP -----Original Message----- From: Justin Pryzby [mailto:justinpryzby () users sourceforge net] Sent: Friday, June 06, 2003 6:18 PM To: security () rexwire com Cc: security-basics () securityfocus com Subject: Re: Firewall configuration statistics Security, 100% of firewalls are misconfigured. I guarantee that no firewall administrator has considered all of the posibilities that are out there. Moreover, there are guaranteed bugs in the firewalling software itself. No firewalls are misconfigured. Computers do what they are told, and the occasion cosmic ray bitflip is insignificant compared to human error. FW admins who use broken software or write bad FW policies deserve to suffer the consequences. Take your pick. As a user, I think all firewalls suck because at best they are another layer for things to get f()'d up, and at worst they prevent me from doing stuff. As an admin, I know of no more problems in my current firewall configuration (-j DENY), but let me check. Unless you elaborate on whichever number you quote, it is meaningless. Anyone who has ever deal with a firewall will know that. You will, however, impress 99% of everone with a cool word like ''firewall''. Justin On Sat, Jun 07, 2003 at 12:42:26AM +0000, security () rexwire com wrote:I remember once reading that X amount of firewall's are misconfigured.Doesanyone know where I can get this statistic from? We are making somenewmarketing material and I would like to include this stat in it. Aquotablesource would be great. Thanks SKP------------------------------------------------------------------------ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ -------------------------------------------------------------------------------Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Firewall configuration statistics, (continued)
- RE: Firewall configuration statistics John Floyd (Jun 09)
- RE: Firewall configuration statistics Gregory Kane (Jun 09)
- Re: Firewall configuration statistics Brian Eckman (Jun 09)
- Re: Firewall configuration statistics Brad Mills (Jun 09)
- RE: Firewall configuration statistics security (Jun 20)
- Re: Firewall configuration statistics Justin Pryzby (Jun 20)
- RE: Firewall configuration statistics security (Jun 23)
- Re: Firewall configuration statistics Brian Eckman (Jun 24)
- RE: Firewall configuration statistics Des Ward (Jun 24)
- RE: Firewall configuration statistics security (Jun 24)
- RE: Firewall configuration statistics ATD (Jun 25)
- RE: Firewall configuration statistics security (Jun 23)
- RE: Firewall configuration statistics ATD (Jun 26)
- RE: Firewall configuration statistics security (Jun 26)
- RE: Firewall configuration statistics Kelly Martin (Jun 26)