Re: OT: Av and Gartner...

[Fritz Ames <fritzames () earthlink net>]

John (and Marcus),
	I wasn't going to reply directly to the list because I felt that I 
might be doing what I feel Gartner does:  Talk, without *really* 
knowing.  ('Doesn't "rise to the level of a Presidential speech," if you 
know what I mean.)
	I am not working with corporate firewalls right now so I have to write 
in generalities.  (See what I mean.)  I love "Defense in Depth."  What 
else can you use to filter the Web and FTP traffic that concerns 
you--before something inside your perimeter tries to render or process 
it?  I don't know what all the options are, but I do know that desktop 
AV is far from perfect. Your AV can only do so much--and it's usually at 
the file level--so your browser may be lost to the dark side before your 
AV knows what's going on--if you are not scanning that traffic.  I think 
that your paranoia is very much warranted.  I can't vouch for your 
approach, having never done it, but it seems very sane to me.  (Were I 
Gartner, however,...  How much cash do you have?)
	My impression is that Gartner doesn't run anything, they just look at 
stuff, talk to people (most of whom actually pay to talk to them), and 
then the write up their opinions as fact.  I worked for a "dot-com" that 
paid Gartner for advice and we kept getting glowing reports back from 
Gartner about how we were doing.  I felt that we were getting fluffy 
advice from them (thinking, "How do they know our *very* niche market 
better than we do?").  They tooted our horn to others, which made our 
top execs feel that we were doing great and that Gartner knew a whole 
lot.  In retrospect I feel that Gartner was a strange PR company, not 
some analysis gurus--and certainly no high-end integrator.
	I think of it this way:  You know those antiques shows on TV, where 
they tell you something is worth some fabulous amount of money?  Don't 
you wish that they actually made transactions, to really show what 
something is worth?  I feel the same way about Gartner.  Wouldn't it be 
different if they did real work based on the advice they sell, like if 
they could say, "We installed all authentication systems, authorization 
systems, firewalls and load balancing gear for Company X and, based on 
the similarities between your needs, we can do A, B, and C for you at 
this price."  THAT is when I start to believe anything from Gartner (or 
anyone else).
	I have a disclaimer:  I don't *know* that Gartner sells garbage, but I 
would love to have the time to look at all of their reports from the 
last four years and see A) What they said that was in conflict in 
different reports.  B)  What they said that was consisten across their 
reports.  C)  What predictions were right.  D)  What predictions were 
wrong.  and E)  What predictions remind me of reading a horoscope.



Thank you,

Fritz


Marcus J. Ranum wrote:
> John Keeton wrote:
>
> > Also, anyone have any experiance with Garner regarding security items? 
>
>
> Yes.
>
> I am amazed that anyone listens to Gartner about anything. Their
> "research" is based almost entirely on hearsay, vendor marketing
> literature, and vendor briefings (aka "consulting")  - while they
> try very hard to dodge the question of whether their "research"
> is influenced by the amount of money they get from a vendor, it's
> pretty obvious what's going on if you line up who pays them and
> who gets covered. You virtually never see anyone on thier stupid
> magic quadrant who is not a Gartner research customer or a
> consulting customer. Of course they're very cagy about the
> relationship between how much you pay and where you wind up,
> there have been some extraordinary anomalies. Perhaps the
> most significant recently was Gartner's hyping of "Intrusion
> Prevention" technology - in particular they widely hyped Intruvert's
> IPS. Yet no customers, according to a Gartner analyst I discussed
> Intruvert with, used Intruvert in its in-line "prevention" mode. So
> what did Gartner base their "research" on? Intruvert's marketing
> literature? There's a serious credibility gap - indeed I'd go so far
> as to say there's a serious integrity gap.
>
> Does Gartner test technology? No. What do they actually
> base their "recommendations" on? They base them on what
> the vendors who pay them the most - their real customers -
> want them to recommend. If you want recommendations that
> have some kind of integrity, you need to look to people who
> have actually gotten some hands-on time with products
> and who actually understand a technology.
>
> When I talk to "C-level" senior management I rate their
> clue level based on whether they believe Gartner reports
> or not. I figure if I run into a CIO who takes Gartner
> reports seriously, that I've run into someone who worked
> up the management chain through political skills and
> organizational skills, not through technical skills, or
> technological vision. Taking Gartner reports seriously
> is a dead-on tipoff that you're dealing with an incompetent
> empty suit - after all, to take Gartner seriously, you'd
> have to be more ignorant about technology than they
> are. Which is hard to imagine.
>
> mjr. 
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards