Firewall Wizards mailing list archives

Re: Practical Firewall Metrics

From: Christopher Nicholls <chrisn () dynamite com au>
Date: Mon, 23 Feb 1998 12:06:19 +1100

At 14:40 20/02/98 -0500, Marcus J. Ranum wrote:

Michael Brennen writes:

I'm surprised you support this for the simple reason you point out: 
vendors can claim anything they want.  Calling a template a "highly
paranoid access policy" is useless unless you have the understanding
to verify that it in fact does what you need. I distrust vendor
packages / templates / etc. for precisely this reason: I don't trust
them to keep *my* best interest beyond *their* own best interest.


Right. That's why I said that the regulatory bodies that own
various fields of endeavour should have defined the templates
in accordance with best business practice for each area. It
shouldn't/can't come from the firewall vendor but if the SEC
published the template standards and the firewall vendors
implemented those as packaged configurations for their products
then we'd be able to meaningfully audit compliance.


Aahhh... So now I think this is more like the solution that I was looking
for: standardise the mechanism - not the testing.

At the moment it seems we have hundereds of different firewall "standards"
and uncountable security policies floating around out there, and here we
are trying to certify, accredit, recommend etc.. a completely hopelss task?
Pretty close. No wonder the "certification" of firewalls borders on
meaningless! And no wonder security is such an issue - the hackers/crackers
are having a field day!

But then - what is the right template? What is the right standard for
firewall design? Who says? I can see endless arguments here...

Regards

Christopher
-----------------------------------------------------------------------------
Christopher Nicholls
chrisn () dynamite com au   ~~~~~~~   chrisn () softway com au
-----------------------------------------------------------------------------
m:      0411 454755     
w:      +61 2 6243 4834 h:      +61 2 6241 2112
wf:     +61 2 6243 4848 hf:     +61 2 6241 8926
----------------------------------------------------------------------------
-

Current thread:

INtrusion Detection Gary Crumrine (Feb 17)
- Re: INtrusion Detection Frederick M Avolio (Feb 18)
- Re: INtrusion Detection Aleph One (Feb 18)
  - Practical Firewall Metrics...Was: INtrusion Detection Christopher Nicholls (Feb 20)
    - Re: Practical Firewall Metrics Marcus J. Ranum (Feb 20)
    - Re: Practical Firewall Metrics Michael Brennen (Feb 20)
    - Re: Practical Firewall Metrics Marcus J. Ranum (Feb 20)
    - Re: Practical Firewall Metrics Christopher Nicholls (Feb 24)
    - Re: Practical Firewall Metrics Bennett Todd (Feb 20)
    - Re: Practical Firewall Metrics Leonard Miyata (Feb 20)
    - Re: Practical Firewall Metrics...Was: INtrusion Detection Bennett Todd (Feb 20)
- <Possible follow-ups>
- Re: INtrusion Detection tqbf (Feb 18)
  - Re: INtrusion Detection Adam Shostack (Feb 18)
- Re: INtrusion Detection Vern Paxson (Feb 18)
  - Re: INtrusion Detection Marcus J. Ranum (Feb 18)
- Re: INtrusion Detection tqbf (Feb 18)
- RE: INtrusion Detection Gary Crumrine (Feb 19)
  - RE: INtrusion Detection Alfred Huger (Feb 19)

(Thread continues...)