Firewall Wizards mailing list archives
Re: Apology - not necessary
From: Frank Willoughby <frankw () in net>
Date: Fri, 25 Sep 1998 10:09:30 -0500
At 09:38 AM 9/24/98 -0400, Jason L. Snowden wrote:
I apologize to the list. I was given mis-information, and then spread it without verifying it. I was incorrect on my comments on FW-1, and apologize to the list and to CheckPoint for spreading rumors.
Jason, IMO, there is nothing to apologize for. To me, the issue isn't about Checkpoint. It is a security issue. As Information Security Officers, our job is to *minimize* risks - not take chances. Any prudent DoD or Corporate Network/Information Security Officer should look at all of the factors involved before using *any* given product and choose the product which offers the highest security, and poses the least potential risk. Briefly, let's look at the facts: o It is in the interests of the National Security of the United States that data residing on classified systems and networks not be made available to unauthorized individuals or countries. o A prudent DoD Network/Information Security Officer should (by default) choose the most secure solution which presents the *least* potential risk to the data, systems, and networks - choosing to err on the side of caution than risk potential disaster. Again, we are being paid to be paranoid - not naive. o The FBI released that the 3 countries most active in committing economic espionage against the USA are (in alphabetical order): France, Israel, South Africa. (The head of the french intelligence agency (DGSE) publicly disclosed in '91 that it routinely provides intercepted intelligence traffic to French companies if that traffic may be useful to that company in its efforts against foreign (non-french) competitors. o Israel was caught spying on the USA on several separate occasions. o Checkpoint is an Israeli company with a USA office in California. o A firewall vendor residing in one of the 3 above-mentioned countries is in a conflict-of-interest situation if they are providing firewalls for organizations which might be potential targets of military or economic espionage. Consequently, it is difficult to predict where the vendor's interests really reside - their government's or their customers? Not an easy choice for them. Let's draw our own conclusions using logic: o Security products (Firewalls, etc) from vendors who are *not* from countries which have a proven track record of conducting military or economic espionage on the USA, have a lower potential risk* than products of similar capability which are produced from vendors who don't have this track record. * The potential risk referred to here is the risk that the vendor may be coerced by their gov't to provide undisclosed access to or product functionalities which may be used to promote that country's military or economic espionage efforts. If putting in Product A has a higher risk of exposing my networks than Product B, I will choose product B. My recommendation is to always reduce the risks where possible. Further, for the reasons stated above, I will not recommend the use of any firewall or other security product from one of the 3 afore- mentioned countries in any classified environment or any company which has competitors in one of those 3 countries. *** Bottom line: why take risks when you don't have to? *** Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. (c) Fortified Networks, Inc. - http://www.fortified.com/ Home of the Free Internet Firewall Evaluation Checklist Expert (vendor-neutral) Computer and Network Security Solutions Fixed Price Contracts - Expert Information Security Officers Phone: (317) 573-0800 Fax: (317) 573-0817
Current thread:
- Apology Jason L. Snowden (Sep 24)
- Re: Apology - not necessary Frank Willoughby (Sep 25)
- Re: Apology - not necessary Marcus J. Ranum (Sep 25)
- Re: Apology - not necessary Paul D. Robertson (Sep 26)
- Re: Apology - not necessary Paul D. Robertson (Sep 29)
- Re: Apology - not necessary Marcus J. Ranum (Sep 25)
- Re: Apology - not necessary Perry E. Metzger (Sep 29)
- Re: Apology - not necessary John Nicholson (Sep 29)
- Re: Apology - not necessary Perry E. Metzger (Sep 29)
- Re: Apology - not necessary Frank Willoughby (Sep 25)