Re: Proxy 2.0 secure?

[tqbf () pobox com]

> The article made clear that we did not in any way certify products as
> "secure," whatever that means. Our tests evaluated only whether properly

You stated that your methodology would not account for misconfiguration or
new attacks. I am stating that your methodology does not account for old
attacks, either, but rather only the specific incarnations of a specific
set of largely irrelevant (to a firewall) attacks generated by a network
testing tool designed to test end-systems and not firewalls. Your
disclaimer is thus seriously misleading.

> both very real problems, but beyond the scope of our test. I agree that
> scanners and IDS products are a good way of evaluating device configuration
> (and I'm pleased to see you think IDS products are good for something ;-)

I do not think I-D is a good way of verifying device configuration; I
think that the use of I-D for config verification is seriously flawed.
Moreover, you did not use I-D tools in your test (or if you did, you
didn't document that in your article).

Additionally, I do not think IDS products based on passive network
analysis ("sniffing") are worth anything at all. I have no opinion about
any other form of I-D (and there are many others, some of which are
incarnated in very popular commercial packages); please do not
misunderstand this.

-----------------------------------------------------------------------------
Thomas H. Ptacek                           SNI Labs, Network Associates, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf       "If you're so special, why aren't you dead?"