Firewall Wizards mailing list archives
Re: Gauntlet: source code anyone ?
From: Darren Reed <darrenr () reed wattle id au>
Date: Mon, 22 Mar 1999 09:19:25 +1100 (EST)
In some email I received from Marcus J. Ranum, sie wrote: [...]
2. vendors don't appear to do a lot of testing, particularly of boundary cases (just like all good s/w engineers should);Typically, zilch.3. vendors don't appear to have a very good quality control;Typically, zilch.4. those who buy commercial firewall products aren't interested in doing a code review of their vendor.Typically, zilch.
It occurs to me that the above three points are problems with the process(es) being used by the companies manufacturing firewall products and thus should be fixable... ICSA supposedly reserve the right to brand firewalls "approved" or not, hoping to distinguish worthy products from the unworthy, but how rigorous are their tests ? Do they enter 1MB long strings/maximum size strings with potentially confusing data at each and every input, including those derived from external sources such as DNS, as an example to test susceptibility to buffer overflows ? Even if they did, is this likely to help customers, or do we require something else which says your product can only be categorised as a firewall if it is "approved" or for Government to say that they'll only purchase "approved" products ? (Heck, maybe requirements for branding something "Unix" should be required to changed to include the above too - or maybe not as then it wouldn't be "Unix" without buffer overflows ;-) I'm sure that there is plenty of negativity around about how useful that would be, but it seems that the vendors are of questionable capability, so hence there needs to be someone else to set the level of the bar. Darren
Current thread:
- Gauntlet: source code anyone ? Darren Reed (Mar 18)
- Re: Gauntlet: source code anyone ? Joseph S D Yao (Mar 19)
- Re: Gauntlet: source code anyone ? Adam Shostack (Mar 19)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 19)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 21)
- Re: Gauntlet: source code anyone ? Craig H. Rowland (Mar 22)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Mark E. Smith (Mar 23)
- Re: Gauntlet: source code anyone ? Joseph S D Yao (Mar 23)
- Re: Gauntlet: source code anyone ? David Lang (Mar 23)
- Re: Gauntlet: source code anyone ? Steve George (Mar 21)
- Re: Gauntlet: source code anyone ? dreamwvr (Mar 22)
- <Possible follow-ups>
- Re: Gauntlet: source code anyone ? ark (Mar 19)
- Re: Gauntlet: source code anyone ? David Lang (Mar 21)
- RE: Gauntlet: source code anyone ? McMahan, Peg (Mar 19)