Re: Proxy 2.0 secure?

[tqbf () pobox com]

> The test covers the security performance of NT-based firewall systems in the
> ideal security environment, I agree.  The test do not show how that could be
> expected to perform security-wise if you were moronic enough to leave gaping
> holes in your access mechanism via test accounts, alternate access paths and
> the like.

It would be silly to write an article comparing the security of firewalls
by considering the many ways in which they can be misconfigured.
Obviously, the Data Communications article is not referring to security
holes brought on by misconfiguration --- they had the vendors configure
the boxes for the test. Clearly, the security problems we are discussing
here are design and implementation flaws, not configuration and management
mistakes.

So, I'll restate my point: network scanners are excellent tools for
verifying the configuration of a firewall. The review of firewalls we're
discussing is not about proper configuration. It's about whether software
packages from various vendors are "secure", and it does absolutely nothing
to verify whether this is the case or now. ISS makes no serious effort to
verify that a firewall is implemented properly.

Thus, since the testing methodology of this article is obviously
completely flawed, you should not cite it as evidence that NT firewalls
are secure (or not secure). The article is meaningless.

-----------------------------------------------------------------------------
Thomas H. Ptacek                           SNI Labs, Network Associates, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf       "If you're so special, why aren't you dead?"