Re: FW appliance comparison - Seeking input for the forum

[Dave Piscitello <dave () corecom com>]

Paul Melson wrote:
> -----Original Message-----
> Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
>
> > Though i think people who buy Checkpoint stuff are somehow
> non-representative (i think if one tried that with, say, Cyberguard, 
> > we'd see completely different picture) the results are still scary. Damn
> scary. That means 80% firewalls could be thrown off with 
> > no further harm to security.
> I'd agree that choosing a different product customer set would probably
> yield different results, but I'm not sure that Check Point is going to be
> worse than others.  In fact, experience tells me that the small/medium IT
> shops out there that still have their NetScreen-10 or their PIX 510 with the
> same rule set and software on it for 3+ years are even more likely to have
> flawed configs.

Many SMBs have barebones policies. What I commonly see:

- default ANY outbound
- inbound http to a Port address translated web server
- inbound telnet/ssh to some 3rd party application server
  (e.g., vacation rental software on SCO boxes with credit card DBs ;-(
- logging to the localhost (appliance) which rolls the logs
  (no long term store)
- default admin account, same password today as configured day 1
- IPsec using IKE AG mode with PSK

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature