Jim Canfield wrote:
>The most secure, usable, firewall we have found to date is the
>Cyberguard
On what basis do you make this assertion? "secure" can mean a lot of
things and a rubber stamp from NSA or it's equivalent doesn't mean a
whole lot if buggy software can be trivially exploited. We could go on
about "usable" but I'll let that one slide. In particular is the
firewall configuration an EXACT match with the
"certified/tested/evaluated" machine? NT has a C2 rating but it's not
worth a damn. When was the last time you ran an NT box with no LAN, no
floppy, and with a modified BIOS? Not exactly a useful product. Then
again, assuming you duplicate this setup, place said machine nearish to a
window. Electronic eavesdropping (for about $3000 and change) or outside
observation does tend to degrade the usefulness of said rating does it
not?
>As mentioned the products are B1 compliant (awaiting certification)....
whatever, see above.
>They are relatively easy to setup , nice GUI and it has built in the
Ah, the GUI. Remote manageable too I think I recall. What to say when
the X11 session gets hijacked? You sure the box isn't running a
braindamaged X11 server? Can you attack the logging facility thru DOS?
What happens when you bog the machine down with hundreds of connections?
Does it run out of VM and spontaneously reboot? How about the logs
filling up the disk? What happens when this occurs and an exploit is
then launched? Do you still have an audit trail?
>ablity for most "standard "(excuse the word) proxies and allows creation
>of probably anything you might need.
So they know how to check off all of the feature boxes on the report
card. Anybody can and everybody does that.
IMO ratings, be they NSA/NCSA or whatever aren't worth much and
deffinately not a price premium. I take far more comfort in people
banging away at the available stuff and fixing the problems.
Additionally, you really believe the vendor (or reviewer for that matter)
went thru every single line of code specifically looking for possible
exploits? Get real. All the ratings do is study the protection scheme
and bless it as logical and OK at least in theory. Then with various
degrees of persistance they try to prove you can't get around said
protection. Holes and stack smashes by way of poorly written C and
resolver libraries and DOS via SYN etc. aren't addressed. If they were
we wouldn't be plagued with some of the problems we have now.
Follow-Ups:
|
|
