RE: FW appliance comparison - Seeking input for the forum

["Behm, Jeffrey L." <BehmJL () bvsg com>]

On Wednesday, January 25, 2006 10:19 AM, ArkanoiD so spake:
> Though i think people who buy Checkpoint stuff are somehow
non-representative
> (i think if one tried that with, say, Cyberguard, we'd see completely
> different picture) the results are still scary. Damn scary. That means
80%
> firewalls could be thrown off with no further harm to security.

Now wait a minute...I won't argue the "Checkpoint buyers may be
non-representative" statement, but that's too much of a jump of logic
for me to go from "misconfigured firewalls" to "firewalls [that] could
be thrown off with no further harm to security," especially because the
study only looked at 12 representative[1] components of the ruleset (2
of which were admittedly controversial).  Surely having the firewall,
even with all 2 "errors" is better than having no firewall at all. A
more realistic conclusion could be that having more than half
(two-thirds? etc.) of the representative errors, indicates that the
administrator either doesn't know what he/she is doing, or was forced by
mgmt to configure it in a non-secure manner (or both).

Jeff

[1] As representative as possible, given the potentially hundreds or
thousands of possibilities. The fact that such a study was even done at
least gives one a gauge from which to guide new/seasoned admins. I look
at it like the SANS Top 10 security holes, that gives one another data
point from which to learn.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards