RE: [fw-wiz] Evaluating Firewall

• Previous message: Ben Nagy: "RE: [fw-wiz] What challenges are security admins facing?"
• In reply to: Ruud Kenbeek: "RE: [fw-wiz] Evaluating Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 27 May 2003 15:57:20 +0200

inline

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Ruud Kenbeek
> Sent: Tuesday, May 27, 2003 2:42 PM
> To: firewall-wizards@honor.icsalabs.com
> Cc: vineet@linux.com.kw
>
> Hello Vineet,
>
> With all respect to the people who reacted previously, I
> think you should
> evaluate a firewall on three major point:
>
> 1) Security
> 2) Security and
> 3) Security
>
> All other point mentioned by yourself and others are
> secondairy to this. I
> can build you a perfect firewall that's manageble, speedy,
> etc, but if it's
> not secure you've got nothing.

Y'know, I really can't believe that anyone still thinks like this.

Back in the Day, to name some names, I was convinced that Cyberguard was a
more secure firewall than the last iteration of Gauntlet, which was more
secure than FW-1. Yet, for many clients, I recommended FW-1 and I still
believe I was absolutely right to do it, for many reasons. [1]

Security in the Real World, 101:

1. Security and Usability are natural enemies. Most companies want a mixture
of both.
2. If you can't summarise your security architecture on a napkin, it's not
working.
3. The real trick is being secure enough. Past that point you're losing
money.
(3a. The real _real_ trick is knowing at what point you _are_ secure
enough.)

Oh I could go on like this for hours - it'll be like the Rules of
Acquisition....

4. You can't fix HR problems with software.
5. Forget the fancy new firewall, patch your damn webservers!
6. 95% of crypto solutions are a waste of money.
7. Users trying to do their jobs have superhuman powers in terms of
bypassing security systems.
8. Nobody can sell you "Security". You need to do some work yourself. Sorry.
9. [...]

Must. Stop. Now....

ben

[1] Gauntlet was slow, buggy and used Sendmail, xntpd and Bind. Cyberguard
used a MAC OS. FW-1 monkeys were common as dirt.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Ben Nagy: "RE: [fw-wiz] What challenges are security admins facing?"
• In reply to: Ruud Kenbeek: "RE: [fw-wiz] Evaluating Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]