RE: Firewall configuration statistics

From: Des Ward (des.ward_at_ntlworld.com)
Date: 06/25/03

  • Next message: Joseph Mathews: "RE: 40-bit VS 128-bit Encryption"
    To: <security@rexwire.com>, <christopher.meidinger@badenIT.de>, <eckman@umn.edu>
    Date: Wed, 25 Jun 2003 13:37:50 +0100
    
    

    SKP,

    I'm sorry mate but it is you who doesn't seem to get our collective point.
    We have never stated that stats do not exist; but these stats are only of
    use if you comparing like to like. If you say most breaches happened with
    'X' firewall, then that could mean a few things for example:

    The firewall is insecure
    The firewall is hard to configure
    The firewall is not configured correctly due to the kind of people working
    on it
    The firewall has the most presence on the internet, thereby presenting the
    most likely chance of success

    Gartner is seen as being a good source, but they have also recently stated
    that IDS's are on the way out. A very peculiar prospect indeed. Bearing in
    mind that Gartner et al are basing their information on polls/survey, which
    are mainly filled in by people who have the time.

    I do not doubt for a second that 'Non technical' upper management are won
    over by stats, but surely the company that provides a tailored solution
    suitable to them instead of looking at stats to justify the reason is the
    one that wins.

    Remember all we are saying is that stats are only useful is they are
    relevant, not that you cannot get them.

    The way that certain people have responded to you was regrettable, but that
    doesn't mean that both he and the rest of us have a point. I admit that
    your original question was not answered; but surely that fact that no-one
    else has gone against our general consensus means that we do have a point.

    No-one is trying to upset you, merely to show a different (And valid) point
    of view. This thread is read by everyone and we all have responsibility to
    lend our experience. If we can educate someone not involved in the
    conversation, but reading the thread, to look beyond just stats and hype
    then that is a good thing.

    Kind regards,

    Des

    -----Original Message-----
    From: security@rexwire.com [mailto:security@rexwire.com]
    Sent: 25 June 2003 12:33
    To: christopher.meidinger@badenIT.de; eckman@umn.edu; des.ward@ntlworld.com
    Subject: RE: Firewall configuration statistics

    This still goes to show you did not get the point of the original question.
    The numbers were for marketing. Most security marketing is targeted towards
    upper management not low level IT guys. To get a initial meeting it is
    important to get their attention somehow. Security sells better top down (at
    least for us).

    We did manage to gather statistics all you guys keep saying does not exist.
    Have a look at idc reports and Gartner group. A good example is one that
    states that "90% of all companies hacked last year had a firewall."

    -SKP

    -----Original Message-----
    From: Meidinger Christopher [mailto:christopher.meidinger@badenIT.de]
    Sent: Wednesday, June 25, 2003 4:46 AM
    To: 'security@rexwire.com'; 'Brian Eckman'; 'Des Ward'
    Subject: AW: Firewall configuration statistics

    As a security professional and someone that has to do with sales, i wanted
    to add a quick thought, but don't want to engage in thread necromancy.

    So anyway, i wanted to agree with you Brian -- i do not believe that the
    number could possibly be less than 90-95% as far as patched vulnerabilities.

    Des, i agree with you also. There are no numbers across the board. The needs
    of a regularly audited DoD contractor are vastly different than the security
    needs of a small business looking to install their first mail server and
    realizing that they will need a firewall in front of it. There are no
    numbers that you can apply to everything, good salesmanship and
    understanding of the industry are paramount.

    Any IT guy worth his salt will likely skip over the numbers and statistics
    anyway, and his manager will usually ask him what he thinks. Going over the
    IT boss' head to get a contract can only result in 1) he making sure you get
    no more contracts or 2) him getting fired, with 1 being the more likely.

    As this justin person blew his top, i agreed with him, but did not defend
    him because i thought his tone went way overboard. SKP - i think you are a
    bit wrong that security contracts are won with statistics. I would say they
    are won by: 1) References from existing customers [this is the big one
    folks, there is nothing more important than two executives talking over a
    power lunch about the security consultants that discovered that their entire
    customer database was world readable] 2) Increased awareness on the part of
    the client [be it advertising, a compromise of oneself of a colleague,
    whatever, the customer is on the market for security help] and 3) Extending
    existing contracts from LAN/WAN whatever to include security.

    Statistics count toward the increased awareness factor, but i never heard
    that anyone walked in and talked about vulnerability statistics and walked
    out with a contract.

    Oh well, this is a bit incoherant, but it's early in the morning here in
    germany and i really should be working, so i hope youll understand.

    badenIT GmbH
    System Support
     
    Chris Meidinger
    Tullastrasse 70
    79108 Freiburg

    -----Ursprüngliche Nachricht-----
    Von: security@rexwire.com [mailto:security@rexwire.com]
    Gesendet: Monday, June 23, 2003 8:00 PM
    An: des.ward@ntlworld.com; security@rexwire.com;
    justinpryzby@users.sourceforge.net; security-basics@securityfocus.com
    Betreff: RE: Firewall configuration statistics

    I think its time to put this thread to rest. Since I started it I think I
    will be the appropriate person to do so.

    In summary I don't think my original point got across to most people. In
    part it must have something to do with the way I wrote the question and in
    part lack of sales or business experience of people reading this thread.

    My question was clearly a marketing question regarding industry statistics.
    IT is quiet stupid for people to say that statistics don't matter. Almost
    all security projects are sold because someone read a statistic or does not
    want to become one.

    As to the leaving number to sales and security to security professionals.
    This way of thinking is guaranteed to shutdown the company that the
    consultants work for. Everybody is in sales regardless of their title or
    position. If you are not selling you are useless to your organization
    regardless of how much skills you may possess.

    This is my $.05 $.25 and $1.00 worth

    -SKP

    -----Original Message-----
    From: Des Ward [mailto:des.ward@ntlworld.com]
    Sent: Monday, June 23, 2003 1:44 PM
    To: security@rexwire.com; justinpryzby@users.sourceforge.net;
    security-basics@securityfocus.com
    Subject: RE: Firewall configuration statistics

    Right, let's try and put this one to bed.

    Unless you are using stats that are relevant to the industry, size and
    external-facing internet presence of the intended audience; the stats used
    are of no real intrinsic value. Industry numbers have no real intrinsic
    value because of this. That is both fact and experience talking.

    The IT industry is full of people who will be conned and those who will con.
    I am not saying that anyone in this list is doing this, again this is merely
    fact and experience.

    All others in the group have been guilty of is putting this point across in
    a different way.

    In summary, let the security professionals deal with security and the
    salesmen deal with numbers. That way everyone is happy.

    Just my £0.05 worth.

    Here's to staring another thread having finally put this one to bed :o)

    Des
    -----Original Message-----
    From: security@rexwire.com [mailto:security@rexwire.com]
    Sent: 20 June 2003 22:04
    To: justinpryzby@users.sourceforge.net; security-basics@securityfocus.com
    Subject: RE: Firewall configuration statistics

    Justin's reply must be the malicious reply I have ever read in this group
    and I hope the moderator takes notice. I was intending to get industry
    statistics for my marketing material and not a arbitrary number to feed to
    people. It comes back to my point in my last pointing. People should keep
    their philosophical points to themselves; no one wants them or cares for
    them they provide nothing to the users of this group. Please stick to
    experience and industry numbers they go a long way to help people.
    Wishing ill onto others as Justin did does not help anyone nor I guarantee
    it will do a lot for Justin's career.

    Some of the statistics I have come across are stated below;

    90% of all companies that got compromised lat year had a firewall

    70% of all attacks happen at the application level

    25% of exploits had patch readily available

    -SKP

    -----Original Message-----
    From: Justin Pryzby [mailto:justinpryzby@users.sourceforge.net]
    Sent: Friday, June 20, 2003 10:34 AM
    To: security@rexwire.com; security-basics@securityfocus.com
    Subject: Re: Firewall configuration statistics

    Well, seeing as I just received duplicates of last months mail, I guess
    I may as well respond.

    My intent in giving SKP two opposite and conflicting statistics is to
    reveal the meaningless nature of the question. Whether marketing
    material says 2% of firewalls are misconfigured or 98% are doesn't
    matter.

    It is a matter of opinion, and I have given SKP my own meaningless
    authority to state whatever he wants. I hope I have also given him the
    motivation to realize that what he wants is an arbitrary number to feed
    to people; I want him to get neither satisfaction nor sales from
    publishing whatever number he decides to use.

    Justin

    On Fri, Jun 20, 2003 at 04:48:02PM +0000, security@rexwire.com wrote:
    >
    > Thank you Greg. I totally agree. If people would just answer questions
    based
    > on real life experience and knowledge and leave the philosophy to the
    > politicians I think everyone in this group will be happy.
    >
    >
    > -SKP
    >
    > -----Original Message-----
    > From: NC Agent [mailto:NC_Agent@kueppers-familie.de]
    > Sent: Friday, June 20, 2003 12:01 PM
    > To: security@rexwire.com; justinpryzby@users.sourceforge.net
    > Cc: security-basics@securityfocus.com
    > Subject: RE: Firewall configuration statistics
    >
    >
    > What you received is the reason why I will not post a serious question
    > to the list. The list has fallen into one of opinion not fact. So folks,
    > as SKP gets more and more frustrated, and stops using the list for
    > serious business, maybe it has become time for us to get back to
    > business. Just my .005 worth.
    >
    > Greg Kane
    > SAIC
    > Senior Systems Security Engineer
    > CTSF-IA
    > Fort Hood, TX
    >
    > -----Original Message-----
    > From: security@rexwire.com [mailto:security@rexwire.com]
    > Sent: Saturday, June 07, 2003 6:16 PM
    > To: justinpryzby@users.sourceforge.net
    > Cc: security-basics@securityfocus.com
    > Subject: RE: Firewall configuration statistics
    >
    > That makes absolutely no sense. Plus I am not looking for a
    > philosophical
    > answer. I was looking statistics for marketing. Does anyone know of a
    > good
    > reference site for firewall and other security statistics.
    >
    > SKP
    >
    > -----Original Message-----
    > From: Justin Pryzby [mailto:justinpryzby@users.sourceforge.net]
    > Sent: Friday, June 06, 2003 6:18 PM
    > To: security@rexwire.com
    > Cc: security-basics@securityfocus.com
    > Subject: Re: Firewall configuration statistics
    >
    >
    > Security,
    >
    > 100% of firewalls are misconfigured. I guarantee that no firewall
    > administrator has considered all of the posibilities that are out there.
    > Moreover, there are guaranteed bugs in the firewalling software itself.
    >
    > No firewalls are misconfigured. Computers do what they are told, and
    > the occasion cosmic ray bitflip is insignificant compared to human
    > error. FW admins who use broken software or write bad FW policies
    > deserve to suffer the consequences.
    >
    > Take your pick. As a user, I think all firewalls suck because at best
    > they are another layer for things to get f()'d up, and at worst they
    > prevent me from doing stuff. As an admin, I know of no more problems in
    > my current firewall configuration (-j DENY), but let me check.
    >
    > Unless you elaborate on whichever number you quote, it is meaningless.
    > Anyone who has ever deal with a firewall will know that. You will,
    > however, impress 99% of everone with a cool word like ''firewall''.
    >
    > Justin
    >
    >
    > On Sat, Jun 07, 2003 at 12:42:26AM +0000, security@rexwire.com wrote:
    > >
    > > I remember once reading that X amount of firewall's are misconfigured.
    > Does
    > > anyone know where I can get this statistic from? We are making some
    > new
    > > marketing material and I would like to include this stat in it. A
    > quotable
    > > source would be great.
    > >
    > > Thanks
    > >
    > > SKP
    > >
    > >
    > ------------------------------------------------------------------------
    > ---
    > >
    > ------------------------------------------------------------------------
    > ----
    > >
    >
    > ------------------------------------------------------------------------
    > ---
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    > analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access
    > in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > ------------------------------------------------------------------------
    > ----
    >
    >
    >
    ---------------------------------------------------------------------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: Joseph Mathews: "RE: 40-bit VS 128-bit Encryption"

    Relevant Pages

    • RE: Firewall configuration statistics
      ... My question was clearly a marketing question regarding industry statistics. ... Subject: Firewall configuration statistics ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • WG: Firewall configuration statistics
      ... Betreff: AW: Firewall configuration statistics ... We were saying there might be more effective marketing strategies ... than statistics which cannot be proven one way or another. ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • RE: Firewall configuration statistics
      ... statistics for my marketing material and not a arbitrary number to feed to ... Some of the statistics I have come across are stated below; ... Subject: Firewall configuration statistics ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Fw: DMZ, Tape Backup and Security
      ... as always in security, the level of security increases with the costs. ... Mandatory use a 3 interface Firewall with seperate rulesets for each ... integrity checking as Tripwire on your DMZ-Servers. ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: Firewall configuration statistics
      ... I was looking statistics for marketing. ... reference site for firewall and other security statistics. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)