Re: How automate firewall tests

[StefanDorn () bankcib com]

The problem here is that while firewall X might have all sorts of bells 
and whistles, it also might be more vulnerable then firewall Y which has 
only basic features because there's more of a chance that a chunk of code 
has a flaw or loophole in it, allowing someone to compromise it. This is 
compounded by the fact that firewalls are (in most cases) configured by a 
human being, allowing even more opportunity for security breaches. You 
might get a good comparison of feature vs. feature or 'general security' 
as of a certain date, but it still wouldn't give you a very clear picture 
of just how secure one firewall is versus another.

We really need some sort of tool or report that looks at how firewalls 
handle and analyze data, adherence to protocol standards, history of 
vulnerability (maybe across previous models by that manufacturer?), and 
how easy/likely it is for an end-user to misconfigure a device, leaving it 
wide open. Lots of small businesses, schools, etc have administrators that 
aren't always security or firewall experts, and just are trying to get 
things functional. So, shouldn't this factor be a part of what a firewall 
needs to address to keep its network(s) secured?

I know the list could go on forever, but those are some bits of 
information that I wish were more accessible to people when they're 
looking at making a new firewall purchase.


Stefan Dorn


firewall-wizards-bounces () listserv icsalabs com wrote on 08-17-2006 
05:10:37 PM:

>    Marcus and Strabla, hope all is well! After considering Marcus's
> points, I wondered if perhaps getting a decent baseline standard between 
the
> various vendors might be a useful metric. By using the exact same
> applications, or traffic against the different commercially available
> firewalls the potential purchaser of such a device may be better 
informed
> when spending their money.
>    As was stated by Marcus, measuring security is like trying to hold a
> drink of water in your hand. You might be able to do it, but someone 
else is
> always going to argue that you did not. 
>    I know that I am wowed when I read vendor A's appliance can do blah,
> blah blah, and vendor B's can do that and a whole lot more, but I have 
never
> seen a side by side comparison of the various devices one could choose 
from.
> Slick advertising gets me all the time.
>    I realize this is getting off the automated topic, but something
> like this could help others make a better buying decision. Kind of like 
a
> Road and Track comparison of a Porsche roadster against a BMW against an
> American version (I can not think of any American made roadsters).
>    Strabla, I may be close the same age as Marcus, but his experience
> is magnitudes beyond mine. He researches and designs the stuff; I just 
hide
> corporate assets behind them, or try to anyway. 
>    Best of luck with your research and hope that I may have provided
> some food for thought for the lurkers.
>          Most sincerely, Richard Golodner
>                     Rockville, Maryland
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

PRIVACY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain business confidential and
privileged information.  Any unauthorized review, use, disclosure or distribution is
prohibited.  If this e-mail was not intended for you, please notify the sender by reply
e-mail that you received this in error.  Destroy all copies of the original message and
attachments.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards