On Thu, 7 Nov 1996, Brian W. McKenney wrote:
>> I think the side conversations are missing key points.
>>
>> vendors did not think this makes good marketing sense, then we would not
> ^^^^^^^^^^^^^^^
>> Certification. Again, vendors are using NCSA Certification as a marketing
>> tool, they are responding to what other vendors are identifying in their
>> glossy brochures.
>No, that's exactly the key point. The NCSA certifications are marketing
>fluff, and don't add any significant value to the firewall process. I
>can configure any one of their "certified" firewalls insecurely. I can
>also configure systems that haven't been "blessed" by bloating their
>coffers to be quite secure.
>I doubt that NCSA has gotten any of the major vendors to change a line of
>code, or added any security value at all to their products for the money
>they've received. I think that's the main point.
>Paul
Hmm.. I think you've really got the point and more, as you said is not a matter
of "how good my firewall is" which sounds pretty like " how fast my car can
run",
but rather " how well can I implement security on my FW?" or "how fast I want
my car to run"
which is the REAL point.
I'm faced every day with clients asking for "the best firewall" just to be sure
they can say
they've got it to their boss, no matter if the leave holes as large as an
elefant through it.
you can have the perfect firewall and still be hacked in a minute if you don't
install it.
The right policy is the key, the good implementation of it is how you can BE
and not
just FEEL secure. AND continuous audit of what happens is the choice for who
wants
to be able to correctly answer questions about his own firewall security.
Max
---
------------------------------------------------------------------------
Massimo Cotrozzi
Computer and Network Security Specialist
Arthur Andersen - Computer Risk Management
Milan - Italy Tel: ++39 - 2 - 29037611
Fax: ++39 - 2 - 29037663
#include <std/disclaimer>
No Pain, No Gain
|
|
