Firewall Wizards mailing list archives

RE: Evaluating Firewall

From: "Ben Nagy" <ben () iagu net>
Date: Tue, 27 May 2003 15:57:20 +0200

inline

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of Ruud Kenbeek
Sent: Tuesday, May 27, 2003 2:42 PM
To: firewall-wizards () honor icsalabs com
Cc: vineet () linux com kw

Hello Vineet,

With all respect to the people who reacted previously, I 
think you should
evaluate a firewall on three major point:

1) Security
2) Security and
3) Security

All other point mentioned by yourself and others are 
secondairy to this. I
can build you a perfect firewall that's manageble, speedy, 
etc, but if it's
not secure you've got nothing.


Y'know, I really can't believe that anyone still thinks like this.

Back in the Day, to name some names, I was convinced that Cyberguard was a
more secure firewall than the last iteration of Gauntlet, which was more
secure than FW-1. Yet, for many clients, I recommended FW-1 and I still
believe I was absolutely right to do it, for many reasons. [1]

Security in the Real World, 101:

1. Security and Usability are natural enemies. Most companies want a mixture
of both.
2. If you can't summarise your security architecture on a napkin, it's not
working.
3. The real trick is being secure enough. Past that point you're losing
money.
(3a. The real _real_ trick is knowing at what point you _are_ secure
enough.)

Oh I could go on like this for hours - it'll be like the Rules of
Acquisition....

4. You can't fix HR problems with software.
5. Forget the fancy new firewall, patch your damn webservers!
6. 95% of crypto solutions are a waste of money.
7. Users trying to do their jobs have superhuman powers in terms of
bypassing security systems.
8. Nobody can sell you "Security". You need to do some work yourself. Sorry.
9. [...]

Must. Stop. Now....

ben

[1] Gauntlet was slow, buggy and used Sendmail, xntpd and Bind. Cyberguard
used a MAC OS. FW-1 monkeys were common as dirt.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall performance testing (Was: Re: Evaluating Firewall), (continued)
- - - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Kyle R. Hofmann (May 07)
    - Free Firewalls? Thoughts... Sean Barraclough (May 08)
    - Re: Free Firewalls? Thoughts... Henning Brauer (May 08)
    - Re: Free Firewalls? Thoughts... Ted Behling (May 08)
    - Re: Free Firewalls? Thoughts... Javier Sanchez (May 09)
    - Re: Free Firewalls? Thoughts... Mark Gumennik (May 09)
    - Re: Free Firewalls? Thoughts... David Lang (May 09)
    - Re: Free Firewalls? Thoughts... Mikael Olsson (May 10)
    - Re: Free Firewalls? Thoughts... Javier Sanchez (May 12)
- RE: Evaluating Firewall Ruud Kenbeek (May 27)
  - RE: Evaluating Firewall Ben Nagy (May 27)