RE: [fwd] Firewall Products: Many Not Ready For Prime Time,

["Feeney, Tim" <Tim.Feeney () fmr com>]

Let me put out a note from the side of a systems administrator.  I am
not a security "guru/consultant/practitioner/auditor" but a mere systems
administrator.  I got into the firewall/security fray by having my
manager (at a previous corp) say:  "We are having a firewall installed
by a consultant for our new internet connection and we want you to help
him out."  I had no idea we were getting an internet connection, forget
that the consultant came in and recommended a firewall solution without
talking to me about the type of systems and applications we had.  Well
the installer new sh** about what he was doing and I had to learn all
about the FW-1 1.0.  I would say that this is how a goodly number of
people are being introduced to firewalls and security, with some not
even having the consultant.  It can be easily proven with some of the
postings to the firewalls@greatcircle mailing list.  There is always a
monthly "Hi, I have been asked to set up a security policy and need
help" message.  I believe that it will be a long time before this type
of situation will become a rare case.  There is the rush to take
advantage of the business opportunities that the internet presents, and
still a "It will not happen to us" attitude. The advent of an out of the
box secure firewall will only heighten this feeling, and further enlarge
the blinders that are in place.  The human animal, crackers included, is
an amazingly adaptive being and will find a way to get around barriers.


I believe that if a large company is "hacked" and it causes their
downfall this will push the business side of corporations to sit up and
take notice.  Until that time more and more administrators will become
overnight security "guru's".

Tim

PS.  For a chuckle:  I originally setup the firewall to reject all
packets until I had the DMZ and internal routers setup.  While I was
away at SANS my ex-manager decided they needed to grant access to the
ftp server.  Did he add a rule?  Nope he just moved the server to the
other side of the firewall, with the server being a out of the box
Solaris machine (i.e.. all services running and default passwords in
place.)  It took me a while to convince him this was a bad thing and I
needed to reinstall the server from scratch. :^)

------------------------------------------------------------------------
-----------------
The opinions expressed in this message do not necessarily reflect those
of my employer.
"If you don't know what you're aiming for, the chances of getting there
are nil."