Re: Firewall comparison

[Matt Curtin <cmcurtin () interhack net>]

[This sounds harsh, but I don't mean to be abrasive to Matt or anyone
else on the list.  I have been becoming increasingly distressed at the
decreasing mean level of technical expertise.  This message is the one
that finally pushed me over the edge.  I intend to be harsh with
vendors and the industry as a whole.  Whether anyone individually
falls into the category of needing the scolding is an exercise left to
each reader. :-)]

Matt Lotz <MLotz () eaglesoft net> writes:

> most firewall companies are more than willing to compare their
> firewall to others.

...in irrelevant ways and with nonsense data meant to play off of the
inexperience of the audience.

I mean, really, how else could everyone's firewall be "the best"?

How much can you really learn useful things about a commercial
firewall like implementing relays in kernels vs. applications,
pre-forking relays vs. firing them up on demand, the pros and cons of
stateful packet filtering, resistance to various classes of attacks,
the ability to cycle through a socket's states, open source code
vs. proprietary design, etc.?

If we don't know the internals of our firewalls, if we don't
understand what's *really* happening under the hood, if we're easily
swayed by persuasive nontechnical arguments that use things market
share as some sort of feature, then we're not firewall-wizards, we're
Information Technology Industry drones, and we ought not flatter
ourselves with titles that include the word "engineer".

We'll need to talk to vendors, to be sure, but we'll need to talk to
their engineers and ask hard questions.  We'll need to talk to other
vendors.  We'll need to do our own comparisons.  That kind of stuff
takes time, but why in the world would anyone trust what one vendor
says about someone else's product?  Many vendors lie, or tell only
part of the story to make themselves sound better, folks.  (Or they
have sales droids who spread misinformation by guessing incorrectly or
otherwise not knowing.)  They're not your friends.  Don't trust them.

We need to do our own homework and trade notes with each other to make
the decisions that work best for our own environments.  Every
organization is different, and no single set of criteria is going to
be able to answer what's right for everyone, despite what almost any
vendor will tell you.

-- 
Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/