-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Carric Dooley
Senior Consultant
COM2:Interactive Media
"But this one goes to eleven."
- -- Nigel Tufnel
On Sat, 6 Jan 2001, Paul D. Robertson wrote:
> I understand that, but I think it's important to know the time period when
> a vendor has expended fairly significant resources to improve a product,
> which was my main point. Some of the products mentioned haven't changed
> much at all over the same time period other than adding new tests- that
> makes a year old comparison of them valid if you're not just counting
> vulns.
>
To some degree, I agree.. I am glad they are working hard on improving
their product, but that is why I qualified what I said with "I
played with it a year ago...". I did not track it's progress after I
tested it, because I found other products superior. If you got to a
restaurant, and the food and service were crap, would you go back every
couple of weeks to see if they had improved? I bet you would not give it
a second thought unless one of your friends/colleagues told you they had
been recently, and it was vastly improved over what it was. Then you
might be willing to give it another chance. This is the first I have heard
about any vast improvements they were working on.
> I don't think *any* scanners are great products. In fact the best I'd
> rate any of them is fair. Vulnerability tests suck, scanners are most
> useful as tools to measure compliance with security standards. Two or so
> fair tools make that work pretty well and don't leave all the eggs in the
> same basket.
>
Hmmm... I have heard many of the "industry experts" say that (like in
Secrets and Lies where it seems the lesson is "all security tools are
crap, and no body really does it right, so thank god there is Counterpane
<g>"), and I agree there is no substitute for veriyfing a vulnerability by
hand (i.e. attack the host), BUT I think an automated scanner helps you
find a great deal of the low-hanging fruit in an automated fashion for the
sake of time. You will never create a "secure environment". A truly secure
environment is unatainable.. security is a moving target, so you can only
do what you can do. Automated scanners are a good place to start an
assessment, and I wholly agree with your "sec standards compliance"
comment. How else do you manage your "secureness"? Develop a policy to
establish a strategy, assess the network to determine how far or close you
are to that model, design and implement a solution, and monitor the
solution and start the process all over again.. scanners are a piece of
the puzzle, and I feel they are absolutely necessary to any overall
strategy at the enterprise level.
>
> Fuss doesn't always equate to goodness. Talking to the salesdweeb doesn't
> count ;)
>
Fuss may not equate to goodness, but getting ideas and recommendations in
an open forum like this is usually a good first step to product selection.
If the consensus (or even the perception) among network security
professionals is that a product is sub-par, then it probably is. The
products you hear the most about, tend to be what people are using, and
probably for a good reason. Not to say that is a hard, fast rule, but to
use an example.. how many Cyrex CPUs do you have running at your house? Or
how many do you see running at your client sites?
>>
> I think it depends on how a company is structured and how they move into
> new arenas. I've always hated the "core competency" buzzword because I
> think that it's often an attempt to marginalize competition, and it's
> pretty difficult to pin down sometimes what exactly a company is good at.
> For instance, if the company is really good at marketing, then does that
> mean they should market anything?
>
Well, let's look at history.. when I was taking my economics classes back
in school, we learned that if you were a hunter/gatherer, you pretty much
had to make all your own tools, clothes, hunt your own food, and be able
to make (or kill your neighbor and take his stuff) anything you wanted. If
you were crappy at making clothes you had ill-fitting garments, and if you
were a crappy hunter, you probably got to eat a lot of grass, while your
cave mates enjoyed a nice big wooly mammoth haunch. With the advent of a
barter system, it allowed people or groups to specialize. If you were a
loser with a spear, but you could make the hell out of some clay pots, you
could trade pots for food. Now the quality of pots overall goes up because
you have an "artisan" making them who can specialize and refine the
process, and everyone gets steak instead of boiled rocks. This is why I
don't do work on my own car anymore.. I don't know what they hell I'm
doing so I take it to the mechanic, but I sure as hell don't take my
network designs over there for him to review. That does not prevent him
from going to Devry and getting a CS degree, and then doing some Cisco
training to get a CCIE, BUT unless he passes those gauntlets, I think it's
safe to say he does not have the expertise. Buying a security product (or
product suite) does not automatically make you a secruity company, and you
could potentially do more harm than good by making people belive it's a
good product when it may not be... how would you know without the
expertise?
> So you don't think routers have a place in network security? Cisco's
Did I say that?? Absolutely they do, but did Cisco write NetRanger or
NetSonar? or did they buy a company because it gave them a launch pad into
a market new to them? Would you prefer ACL's to an app proxy or stateful
inspection? Do you want ME to work on your car, or an ASE certified
mechanic down at the Napa place? I might do it for less.. then again I
might not. =)
> switches suck? There are a lot of things (and I've no vested interest at
Suck? Maybe not, but are all their switches best suited to all
environments? I am not OVERLY impressed with Cisco switches. The 5500
series felt like a Microsft Service Pack when we deployed a whole pile of
htem at one site.. a couple of the chassis were buggy. I have worked with
one client that used Cisco at layer 3 and 3Com at layer 2 becuase after
extesnsive testing, they felt teh Cisco 5500's DID suck. I think that
depends more on requirments, but then I am writing a novel here, so
I'll move on..
> all in Cisco) that Cisco hasn't done before that they've done well at by
> purchasing competency and gained some measure of happy customers because
> of it. They've also screwed things up before _including_ routers
> (remember the first 7200 version trying to peer full routes?) There are
> some Cisco products that I wouldn't deploy, and some that I prefer to
> deploy- that's also true of a lot of vendors with large product lines.
> There are some "firewall only" vendors who's products I wouldn't deploy-
> so "core competency" doesn't seem like too reliable a metric to me.
Like I said above, I was not implying that core competency is a hard fast
rule. I agree.. there are some vendors that do one thing, and do it
poorly, but it seems like the companies that try to do it all really find
themselves in trouble sooner or later.. do you want one vendor with a
suite of mediocre products, or do you want best-of-breed for each product?
I am all for economies of scale, and preferred vendors, and TCO and all
those good things, BUT NOT at the cost of the ultimate goal.
>
> In my last job, I worked for a media company, does that mean that I was
> better at producing TV shows than INFOSEC? Companies aren't the only
> entities in a business that have competency, and they're perfectly able to
> take advantage of the competency of their people and the people they
> acquire for specific projects.
That may very well be, but it's doubtful since you appear to be an INFOSEC
guy that was probably doing INFOSEC for your media company. Did you ask
for advice or guidance on firewall or intrustion detection system
selection from the camera guys? or the producers? or the graphics artists?
why did they have you on site instead of having the receptionist just take
over the nework security for the company? Because you had a SPECIALIZED
skill set maybe?
>
> If you knew who at Webtrends wrote the scanner engine, and what they'd
> done before, then I think it'd be a solid basis of comparison with
> competency. Without that, it's shooting in the dark without the right
> optics.
I believe Security Analyzer was originally Mnemonics scanner called
Asmodeus. Yes they change the interface, and increased the functionality
(I guess), and it may very well have developed into the best tool on the
market, but based on my limited experience with the tool, I would guess
that it isn't.. Past experience is what we base decisions on, right? If
the restaurant I mentioned serves you a moldy hamburger, you don't go back
because of the experience you had there..
Please don't take any of this the wrong way. I have a tremendous amount
of respect for you, and I consider you one of the "gurus", but like all
impetuous kohai, I must question the masters from time to time. =)
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6
iQA/AwUBOloW4VUqWOkDpMZ2EQJdkQCgy0Srrv0layVr3IscABjan9CDqFcAoOaC
n877wEnaihIZn1T3GHQtC1oO
=39vz
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
