On Sat, 6 Jan 2001, Carric Dooley wrote:
> Agreed.. a year is a long time which is why I didn't say it flat out
> sucked rocks. To be fair, at the time, it did beat Cisco's scanner for
I understand that, but I think it's important to know the time period when
a vendor has expended fairly significant resources to improve a product,
which was my main point. Some of the products mentioned haven't changed
much at all over the same time period other than adding new tests- that
makes a year old comparison of them valid if you're not just counting
vulns.
> vulns found. Net Sonar found no vulnerabilities on a stock SP4 install of
> NT Server (no hardening done). I am sure both tools have improved, but I
> don't hear anyone talking about what great products they are. Most of the
I don't think *any* scanners are great products. In fact the best I'd
rate any of them is fair. Vulnerability tests suck, scanners are most
useful as tools to measure compliance with security standards. Two or so
fair tools make that work pretty well and don't leave all the eggs in the
same basket.
> fuss is over Nessus, Internet Scanner, and CyberCop. I have actually even
> found one person that says they like Retina... =)
Fuss doesn't always equate to goodness. Talking to the salesdweeb doesn't
count ;)
> I understand the draw of the network security field and why eveyrone wants
> to buy in, but I believe a company should focus on it's core competency.
I think it depends on how a company is structured and how they move into
new arenas. I've always hated the "core competency" buzzword because I
think that it's often an attempt to marginalize competition, and it's
pretty difficult to pin down sometimes what exactly a company is good at.
For instance, if the company is really good at marketing, then does that
mean they should market anything?
> I think WebTrends makes great reporting tools (I'm sure that will spark an
> argument...), and Cisco makes great routers, but neither is a network
> security company. Do many things "OK", or do one thing really well.
So you don't think routers have a place in network security? Cisco's
switches suck? There are a lot of things (and I've no vested interest at
all in Cisco) that Cisco hasn't done before that they've done well at by
purchasing competency and gained some measure of happy customers because
of it. They've also screwed things up before _including_ routers
(remember the first 7200 version trying to peer full routes?) There are
some Cisco products that I wouldn't deploy, and some that I prefer to
deploy- that's also true of a lot of vendors with large product lines.
There are some "firewall only" vendors who's products I wouldn't deploy-
so "core competency" doesn't seem like too reliable a metric to me.
In my last job, I worked for a media company, does that mean that I was
better at producing TV shows than INFOSEC? Companies aren't the only
entities in a business that have competency, and they're perfectly able to
take advantage of the competency of their people and the people they
acquire for specific projects.
If you knew who at Webtrends wrote the scanner engine, and what they'd
done before, then I think it'd be a solid basis of comparison with
competency. Without that, it's shooting in the dark without the right
optics.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
