Re: [fwd] Firewall Products: Many Not Ready For Prime Time,

[Rick Smith <rsmith () securecomputing com>]

At 10:39 AM -0500 4/1/98, Jody Patilla wrote:

>       I refer to this as the Mojo Bag Theory of Firewall Purchase. The
> idea is that you buy one and just having it keeps away the evil eye. :-)
> (Burning incense in front of the firewall may or may not be a "best
> practice", depending on the particular shaman, er, consultant, that you
> call in to do the eval.)

Waving a rubber chicken (painted NCSC Orange) is believed to be effective
in some environments. We get occasional requests for it, but I've come to
dislike the marathon dance that goes with it. However, once you discard the
moral and technical absolutism that goes with such regimes, you've simply
substituted one form of shamanism for another.

And this is our pivotal philosophical problem: just what in heck *are* we
trying to do with our magic potions and products, anyway?

I've spent the past half hour trying to pen some erudite statement on this.
I seem to favor "deterrence" as a central concept these days, tho' such a
stance makes it harder for me to run down competing "inferior" products. If
deterrence is the main thing, then just about anything except pure placebo
is going to give some (albet modest) level of deterrence. So just about any
firewall that's got enough gumption to block ICMP traffic on request is
"ready for prime time" as far as some customers are concerned. What a
depressing thought.

Rick.
rsmith () securecomputing com