The fact that all software may contain bugs and errors is easily admitted.
however, this cannot be used to justify the bad quality (I am not saying fw1 is
bad quality. i'm talking more generally) of the software.
otherwise, you can just say that a good administrator sets only one rule:
block all traffic, and if he allows anything else, then he's a bad admin.
The only thing that may justify the price of a commercial product is to
help the admin gets it right. if one has to read tons of documentation
(not always clear or simple to read), surf the web for all hacky-sites,
and nderstand every aspect of every question that might be of concern, then
we're not gonna find enough security administrators to handle this job.
(Don't think I am defending myself: I am not an admin nor a security officer).
so, a "good" product should be "practically" secure out of the box (i.e.
should be ok for most of the sites, or as I prefer, should block everything
unless
someone clicks a button or edits file...). It should also make it somewhat hard
to enable dangerous stuff.
let me just wnder after this: "The authentication mechanism used by OPSEC
communications (fwn1) can be spoofed."
Why the hell a company like KP designs an auth mechanism if it is to be
spoofed.
(how would one then trusts the encryption ethods they implement in VPN1?
but then I disgress...).
[note: I don't work for any FW vendor, and I do not use a commercial FW. IP
filter
sings it as I like... it's just a filter, but it doesn't implement oops-sec
auth stuff, and
besides, it's open source and I didn't pay for]
cheers,
mouss
At 10:39 01/08/00 -0700, Robert Stanley wrote:
>Paul,
>
> I personally don't disagree with any of your statements but I
> feel that all
>applications, firewall or other, if improperly configured and or unpatched
>become the source of the problem. We can argue that Proxy vs. Stateful vs.
>Filter have different issues and benefits etc. The bottom line is that they
>are all software, are all written by people and people make mistakes. If a
>system administrator or company isn't willing to accept the implications, or
>take responsibility to update and maintain, then they have only themselves
>to blame. In response to your comment regarding PIX I believe that both PIX
>and FW-1 suffer the frag DOS attack. If I had the time...and I don't, I
>would test every commercially available FW application for similar issues.
>Someone with a PIX posted this issue on this list:
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
