Re: Practical Firewall Metrics

[Michael Brennen <mbrennen () fni com>]

I'm surprised you support this for the simple reason you point out: 
vendors can claim anything they want.  Calling a template a "highly
paranoid access policy" is useless unless you have the understanding
to verify that it in fact does what you need. I distrust vendor
packages / templates / etc. for precisely this reason: I don't trust
them to keep *my* best interest beyond *their* own best interest.
Without a well defined impartial standard and common terminology,
templates don't mean anything beyond the marketing language used.

I think you are advocating an external template standard, but
templates per se without a standard don't seem to be any good because
we are back to lack of understanding.  IMO of course. 

   -- Michael

On Fri, 20 Feb 1998, Marcus J. Ranum wrote:

> Network-1 makes a firewall called Firewall/Plus. It's a pretty good
> firewall, but the one thing that I think is terrific about it is
> that it has a bunch of policy templates for quick install. You
> ...
> Need I mention that if such template standards existed, they
> would form useful backbones for IDS rule-sets, network scanners,
> and compliance audit tools? One of the problems with IDS is that
> it's hard to define "normal" -- having a templated policy defines
> a baseline of "normal" in a way that would be highly useful. If
> ...
> The second issue is that validating firewalls is EXTREMELY hard
> because vendors can make whatever ridiculous claims they like
> and get away with it. "Our new turbo-whomping voodoo packet