Re: Apology - not necessary

[Frank Willoughby <frankw () in net>]

At 09:38 AM 9/24/98 -0400, Jason L. Snowden wrote:
> I apologize to the list.  I was given mis-information, and then spread it
> without verifying it.  I was incorrect on my comments on FW-1, and apologize
> to the list and to CheckPoint for spreading rumors.

Jason,

IMO, there is nothing to apologize for.

To me, the issue isn't about Checkpoint.  It is a security issue.

As Information Security Officers, our job is to *minimize* risks 
- not take chances.  Any prudent DoD or Corporate Network/Information 
Security Officer should look at all of the factors involved before 
using *any* given product and choose the product which offers the
highest security, and poses the least potential risk.  

Briefly, let's look at the facts:
o It is in the interests of the National Security of the United
   States that data residing on classified systems and networks 
   not be made available to unauthorized individuals or countries.
o A prudent DoD Network/Information Security Officer should (by
   default) choose the most secure solution which presents the
   *least* potential risk to the data, systems, and networks -
   choosing to err on the side of caution than risk potential
   disaster.  Again, we are being paid to be paranoid - not naive.
o The FBI released that the 3 countries most active in committing
   economic espionage against the USA are (in alphabetical order):
   France, Israel, South Africa.  (The head of the french intelligence
   agency (DGSE) publicly disclosed in '91 that it routinely provides
   intercepted intelligence traffic to French companies if that
   traffic may be useful to that company in its efforts against
   foreign (non-french) competitors. 
o Israel was caught spying on the USA on several separate occasions.
o Checkpoint is an Israeli company with a USA office in California.
o A firewall vendor residing in one of the 3 above-mentioned countries
   is in a conflict-of-interest situation if they are providing 
   firewalls for organizations which might be potential targets of
   military or economic espionage.  Consequently, it is difficult
   to predict where the vendor's interests really reside - their
   government's or their customers?  Not an easy choice for them.


Let's draw our own conclusions using logic:

o Security products (Firewalls, etc) from vendors who are *not* 
   from countries which have a proven track record of conducting 
   military or economic espionage on the USA, have a lower potential 
   risk* than products of similar capability which are produced from 
   vendors who don't have this track record.  

   * The potential risk referred to here is the risk that the vendor 
     may be coerced by their gov't to provide undisclosed access to 
     or product functionalities which may be used to promote that
     country's military or economic espionage efforts.

If putting in Product A has a higher risk of exposing my networks
than Product B, I will choose product B.  My recommendation is to 
always reduce the risks where possible.  

Further, for the reasons stated above, I will not recommend the use 
of any firewall or other security product from one of the 3 afore-
mentioned countries in any classified environment or any company 
which has competitors in one of those 3 countries.


*** Bottom line: why take risks when you don't have to?  ***


Best Regards,


Frank

The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Fixed Price Contracts - Expert Information Security Officers
Phone: (317) 573-0800     Fax: (317) 573-0817