On Fri, 8 Dec 1995, Rick Smith wrote:
> > >> >Mike Murphy says:
> > >
> > >> Yes. I have a simple idea of how to warrant a firewall.
> > >>
> > >> "If the system(s) protected by this firewall is(are) entered
> > >> in an unauthorized manner through the firewall, then Blort
> > >> Industries will pay arbitrated damages in an amount not to
> > >> exceed $1.25e6 US. Determination of unauthorized entry will
> > >> be verified by court appointed arbitrator."
> I ask:
> > I spend a great deal of time analyzing the alleged unauthorized
> > entry. For money. On an incident by incident basis. I hire experts.
> > It's expensive. It's a last resort. I weigh facts and observations...
> > oh, it was a rhetorical question, sorry. :-)
> No, it wasn't a rhetorical question. If this problem can be solved to
> everyones' satisfaction you might just see it happen.
> The point was that you need to analyze the evidence. Is there going to
> be enough evidence to decide one way or another? Will the evidence be
> in a form that you can trust? If crucial evidence is "missing" how
> does that affect the decision?
> By making this an "arbitration" issue it perhaps lies more on the
> technical merit of the evidence than on legal fine points. Which means
> that we can probably discuss it here without being too bogus.
> > I didn't hear much response about product liability insurance.
> It all turns on the same issue: how do you determine fault? External
> attack via a firewall is only one threat against information
> resources. How do we tell if an attack succeeded because of a firewall
> failure or because of some other organizational security failure?
> Insurance is rarely unconditional, and usually hinges on some amount
> of responsible behavior by the insured. For big bucks the insurance
> company is certainly going to make sure the insured followed the
Trying to get a blanket gaurantee or warranty from a firewall vendor
sounds akin to trying to get a warrenty from a hardware manufacturer that
the hammer you bought from them won't allow you to hit your thumb. About
the most you might achieve from such an exercise is a promise that you
won't hit your thumb accidentally if the tool is used as intended by the
manufacturer. If you do hit your thumb accidently, they'll only have
to say that it was intended only to be used to hit nails.
> smith @
com secure computing corporation
**** cjolley @
net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****