>With regards to the very interesting review of different firewalls
>in the Nov 95 issue of Data Communications which Ken Stephens
>kindly pointed out.
>
>The URL is http://www.data.com/Lab_Tests/Firewalls.html if you
>missed it
>
>In summary, the top performers are:
>
>- Firewall-1
>- Cyberguard
>- TIS Gauntlet
>
>I would be interested in anyone's comments on the review. I
>was also wondering if we would see a response from the two
>vendors whose products didn't make it thru the testing process -
>BorderWare and Connect:Firewall. I seem to remember seeing previous
>comments from both these vendors on this list, so I thought
>they might care to point out the flaws in the testing methodology or
>whatever...it's always wise to hear both sides of the story.
>
>Regards,
>
>Todd
>
>
>--
>
>Todd Hooper Internet : todd @
momentum .
com .
au
>Momentum Pty Ltd Phone : 09 483 2649
>Western Australia Fax : 09 380 4371
>
>
>����
>
Todd,
Thanks for the URL pointer.
IMHO, I think the tests are slightly skewed. The tests were primarily
from a performance standpoint with security being a minor issue. From
what I know of the contenders mentioned, any self-respecting hacker can
go through *all 3* of their top picks. From a security standpoint, the
tests were disappointing to say the least.
Going on a bit further, I would venture to say that the NSTL didn't do
their homework on existing Internet vulnerabilities and how they can be
exploited. Steven Bellovin's paper entitled "Security Vulnerabilities
in the TCP/IP Protocol Suite" is an excellent work on this subject.
Robert Morris' (the father, not the son who wrote the worm) paper also
covers this subject. (A pointer to Steven's paper can be found at my
home page). The papers are well known and really easy to find on the
net. If NSTL didn't find these papers on the net, they probably didn't
look very hard.
A firewall is of (very) little value if a hacker can go through it and
land on a system *behind* the firewall. Since the testing didn't cover
these types of vulnerabilies, IMO, I would say that the testing results
are pretty useless - from a security point of view. (And a firewall
*is* a security product). Assuming the article accurately reflects NSTL's
testing methodology, then I am very disappointed in the NSTL for not doing
the basic research on Internet / TCP/IP vulnerabilities before designing
a test plan and actually testing the firewalls. I think this really hurt
their credibility. <sigh>. I very nice attempt, but IMO they didn't go far
enough.
I have received a bunch of mails regarding my previous posting on firewall
vulnerabilities, I'll cover this tomorrow with a single posting rather
than try to answer each mail individually.
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
SUCCESS
To laugh often and much;
to win the respect of intelligent people
and affection of children;
to earn the appreciation of honest critics
and endure the betrayal of false friends;
to appreciate beauty,
to find the best in others,
to leave the world a little bit better,
whether by a healthy child,
a garden patch or a redeemed social condition;
to know even one life has breathed easier
because you have lived.
This is to have succeeded.
- Ralph Waldo Emerson
Follow-Ups:
|
|
