In some mail from Marcus J. Ranum, sie said:
>
> [This is no longer particularly related to NCSA, so it
> should not be taken as criticism or praise for their business.]
>
> I'm very cynical about the whole notion of firewall
> certification, as many of you have noted. Mostly, it's because
> it's nearly impossible to find an unbiassed source. For example,
> the federal government's various agencies have several times
> tried to publish firewall recommendations but whenever they
> do, they get slammed and threatened with lawsuits by the
> vendors that feel they are slighted. There are probably all
> kinds of goofy procurement rules that further tie the hands
> of government agencies, with respect to making comments.
[...]
On the topic of Government recommendations, the Australian Government
has a "Firewall Requirements" document (a copy of which is hopefully
going to get to me some time this century), which I think is an
interesting way of approaching the "is it good enough ?" problem.
What's more, I seem to get rather interesting advertising material from
a local reseller of ISS's scanner which points out that a number of
commerical firms which do auditting and consulting use it to verify or
audit firewalls. Whilst it is a start, it is by no means comprehensive
and reading the document, the way it is sold for such a purpose borders
on the ridiculous. It can quite easily lead to a false sense of security,
irrespective of how up-to-date it is with current patches and bugs. How
secure the firewall itself is does not necessarily have anything to do
with how well it protects your network.
Darren
References:
|
|
