The issue is (as far as I'm concered) is that he made some
rather glaring factual errors, and those should be apparant
to you if you've read his paper and have worked with Firewall-1.
Some folks take that to mean that he is trying to deceive folks
in favor of his company's product. Personally, I think he just
wasn't aware of some things in relation to Firewall-1.
It doesn't matter if AGs are more trustworthy than SPFs,
or if Fred is more trsutworthy than the rest of us, he's
still capable of mistating facts, especially if he's not
really familiar with Firewall-1. I sent him a note pointing
out what I thought were all the errors, based on my own experience.
I haven't heard back yet.
it (Me) on 10/23/97 04:32:53 PM
To: fdarden @
com @ smtp
cc: Firewalls @
COM @ smtp (bcc: Ryan Russell/SYBASE)
Subject: Re: sex, lies, and firewall code
I have been very quiet on this list of late, I don't think I've posted
anything for months, but I have trouble with this 'debate'. So here is
a 2 cent rant.
->I have the rather nice pleasure of having had experience on several
->different firewall products, including (but not limited to) Gauntlet and
->Firewall-1. So I can address both technologies from real field experience,
->having installed these types of products in many large, corporate network
->enviornments. I suspect many of you have brand or product loyalty, which is
->admirable. But until you have tested both technologies, and clearly
->understand both, it is difficult to say whether Freds paper is accurate, or
->misleading. I will be posting my rebuttal to Freds paper as soon as I am
->sure that I dont violate anyones copyright.
As someone who has used and installed many types of firewall, and someone
who was trained on Gauntlet by Marcus Ranum, and personally knows many
of the 'real' security experts, including Fred; and as someone who broke
through Firewall-1 version 1.2 in less than 5 minutes, I do not have a
very good impression of stateful inspection and I can give an independant
view of various products as well.
I am far more willing to trust the views of Fred over most 'security
experts'. I have a lot of respect for the guys at TIS, some of whom I
have known for more than 5 years.
Given my 12 years with the Internet and more than 5 years experience with
Firewall-1, Interlock, Gauntlet, SEAL, Cyberguard et al, I can happily
say that the application gateway technique is much more trust worthy, both
technically and psychologically, based on both experience and real
I would seriously consider your 'rebuttal', if you do produce one, it
had better have the facts clear and full backing for your reasoning.
Systems Security Specialist
ID/IR, Esrin Tel. +39 (0)6 94180465
European Space Agency Fax. +39 (0)6 94180442
Via Galileo Galilei - C.P. 64 asmith @
00044 Frascati - Italy