RE: Firewall configuration statistics

["Des Ward" <des.ward () ntlworld com>]

I would disagree with what has just been said.

If a risk analysis has been done to determine the risks to your
organisation, and the firewall stops those risks identified, then the
firewall is configured correctly at that moment in time.

The key phrase is 'at that moment in time'.

There are astoundingly poor IT staff in every position, FW admins are just a
more visible role.  No-one will keep up to date with everything in any role,
that is why regular updates to the layered-security within an organisation
are important.  Note 'layered-strategy'.

Is a firewall misconfigured if someone hacks through the web application
layer?  No, the firewall allows http/https traffic because we need it.  It's
the domain of the overall security strategy to prevent those attacks which
no firewall can stop.

Stats mean nothing unless you're measuring like against like.

If the purpose of the question is to scare people into buying into security,
then balance the cost of a breach against not doing anything.  A firewall is
not a security strategy, it's just a box.

-----Original Message-----
From: Justin Pryzby [mailto:justinpryzby () users sf net] 
Sent: 06 June 2003 23:18
To: security () rexwire com
Cc: security-basics () securityfocus com
Subject: Re: Firewall configuration statistics

Security,

100% of firewalls are misconfigured.  I guarantee that no firewall
administrator has considered all of the posibilities that are out there.
Moreover, there are guaranteed bugs in the firewalling software itself.

No firewalls are misconfigured.  Computers do what they are told, and
the occasion cosmic ray bitflip is insignificant compared to human
error.  FW admins who use broken software or write bad FW policies
deserve to suffer the consequences.

Take your pick.  As a user, I think all firewalls suck because at best
they are another layer for things to get f()'d up, and at worst they
prevent me from doing stuff.  As an admin, I know of no more problems in
my current firewall configuration (-j DENY), but let me check.

Unless you elaborate on whichever number you quote, it is meaningless.
Anyone who has ever deal with a firewall will know that.  You will,
however, impress 99% of everone with a cool word like ''firewall''.

Justin


On Sat, Jun 07, 2003 at 12:42:26AM +0000, security () rexwire com wrote:
> I remember once reading that X amount of firewall's are misconfigured.
Does
> anyone know where I can get this statistic from? We are making some new
> marketing material and I would like to include this stat in it. A quotable
> source would be great.
>
> Thanks
>
> SKP
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------