At 09:31 PM 2/1/97 -0400, you wrote:
>Jim Canfield wrote:
>>The most secure, usable, firewall we have found to date is the
>>Cyberguard
>
>On what basis do you make this assertion? "secure" can mean a lot of
>things and a rubber stamp from NSA or it's equivalent doesn't mean a
>whole lot if buggy software can be trivially exploited. We could go on
>about "usable" but I'll let that one slide. In particular is the
>firewall configuration an EXACT match with the
>"certified/tested/evaluated" machine? NT has a C2 rating but it's not
>worth a damn. When was the last time you ran an NT box with no LAN, no
>floppy, and with a modified BIOS? Not exactly a useful product. Then
>again, assuming you duplicate this setup, place said machine nearish to a
>window. Electronic eavesdropping (for about $3000 and change) or outside
>observation does tend to degrade the usefulness of said rating does it
>not?
Firest Mistake. NT is not C2 complient. Anyone knowing anything about LAN
security would know this. Do a little more research before replying to
someone. Besides, do you even know the differnet levels of security, or are
you just "anti-nt".(which is not a bad thing)
>
>>As mentioned the products are B1 compliant (awaiting certification)....
>whatever, see above.
>
>>They are relatively easy to setup , nice GUI and it has built in the
>Ah, the GUI. Remote manageable too I think I recall. What to say when
>the X11 session gets hijacked? You sure the box isn't running a
>braindamaged X11 server? Can you attack the logging facility thru DOS?
>What happens when you bog the machine down with hundreds of connections?
>Does it run out of VM and spontaneously reboot? How about the logs
>filling up the disk? What happens when this occurs and an exploit is
>then launched? Do you still have an audit trail?
>
Have you even used the Cyberguard product ? You would know this if you have.
Pick up a phone and call !!
>>ablity for most "standard "(excuse the word) proxies and allows creation
>>of probably anything you might need.
>So they know how to check off all of the feature boxes on the report
>card. Anybody can and everybody does that.
>
>IMO ratings, be they NSA/NCSA or whatever aren't worth much and
>deffinately not a price premium. I take far more comfort in people
>banging away at the available stuff and fixing the problems.
>Additionally, you really believe the vendor (or reviewer for that matter)
>went thru every single line of code specifically looking for possible
>exploits? Get real. All the ratings do is study the protection scheme
>and bless it as logical and OK at least in theory. Then with various
>degrees of persistance they try to prove you can't get around said
>protection. Holes and stack smashes by way of poorly written C and
>resolver libraries and DOS via SYN etc. aren't addressed. If they were
>we wouldn't be plagued with some of the problems we have now.
>
SO..... Which firewall do you prefer? A filter in a router.
Sorry about the late response, I took off this weekend for once. I believe
if you do prefer one FW to another, that is fine. But don't say one box is
"better" then another or one is not "good". How do we rate these today? As
all LAN and WAN hardware desicions, personal tastes still are a factor. If I
like Cyberguard and you like Guantlet, who is to say I am wrong or you are.
Each application has it own requirements. Don't ask questions that pertain
to firewalls in general.
>
============================================================================
= Brian Podolak, ====
= E-Mail brianp @
netrunner .
net ====
============================================================================
|
|
