Firewall Wizards mailing list archives

Re: FW appliance comparison - Seeking input for the forum

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 2 Feb 2006 17:34:50 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 1 Feb 2006, Dave Piscitello wrote:

Paul Melson wrote:

-----Original Message-----
Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for theforum
Though i think people who buy Checkpoint stuff are somehow
non-representative (i think if one tried that with, say, Cyberguard,
we'd see completely different picture) the results are still scary. Damn
scary. That means 80% firewalls could be thrown off with
no further harm to security.
I'd agree that choosing a different product customer set would probably
yield different results, but I'm not sure that Check Point is going to be
worse than others.  In fact, experience tells me that the small/medium IT
shops out there that still have their NetScreen-10 or their PIX 510 withthe
same rule set and software on it for 3+ years are even more likely to have
flawed configs.


Many SMBs have barebones policies. What I commonly see:

- default ANY outbound
- inbound http to a Port address translated web server
- inbound telnet/ssh to some 3rd party application server
 (e.g., vacation rental software on SCO boxes with credit card DBs ;-(
- logging to the localhost (appliance) which rolls the logs
 (no long term store)
- default admin account, same password today as configured day 1
- IPsec using IKE AG mode with PSK

All those nasty windows ports and protocols 138-139, 445, 5000, etcpassing in both directions, etc...



Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD4okOst+vzJSwZikRAqkFAJ9Kis49cKRsmnUKvXpA1KF4RfwXNgCgpiXJ
XF7E7QWzXeeqZWPRRCJrPx0=
=jiVk
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: FW appliance comparison - Seeking input for the forum Paul Melson (Feb 01)
- Re: FW appliance comparison - Seeking input for the forum nick leachman (Feb 02)
  - RE: FW appliance comparison - Seeking input for the forum Paul Melson (Feb 02)
    - RE: FW appliance comparison - Seeking input for the forum Paul Robertson (Feb 02)
    - RE: FW appliance comparison - Seeking input for the forum R. DuFresne (Feb 02)
- Re: FW appliance comparison - Seeking input for the forum Dave Piscitello (Feb 02)
  - Re: FW appliance comparison - Seeking input for the forum R. DuFresne (Feb 02)
- <Possible follow-ups>
- Re: FW appliance comparison - Seeking input for the forum R. DuFresne (Feb 01)
  - Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Feb 07)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Feb 02)