com (Bob McKisson) writes:
>> It's interesting that I'm the only representative from a firewall
>> vendor that has touched the discussion. :) You'd think that people
>> would be *impressed* by the fact that our source code has been
>> published and reviewed by all the experts and hackers out there,
>> including our competition. You'd think people would be *impressed* by
>> the fact that we have published our design criteria and how/why we do
>> what we do. Ask the other guys what goes on inside their black boxes
>> and they'll tell you "trust us."
>Huummmmmm...well yes Marcus...some I suppose are impressed. And your
>forthrightness and that of TIS is indeed noble. However, National
>security and the information asset protection needs of corporate
>America nothwithstanding, we live in a dollars and cents world. To
Yea... if it can't make dollars, it don't make cents (sense)!
>suggest that publishers of commercially developed security software
>products should lift their skirts so that whodahellknowswho can
>have a peak, austensibly for the purpose of bestowing some *ad hoc*
>good housekeepin seal of approval, is just not the way the business
>world sees things. And rightly or wrongly...that's the world we
>operate in, and the that counts.
Someone needs to stand up to the world and give it the proverbial finger.
Not only is it wrong, it ain't working!
I am sure most of us are in the internet security business in some form,
whether you are selling products or trying to protect a network from the
Kevin Mitnicks and Robert Morris, Jr.s of the world. Not only do we
have networks to protect, each of us has our own requirements that do
not fit the cookie-cutter model vendors would like for us to follow.
It's easier for the vendor to come up with the model than to conform to
1,000,001 different configurations. TRUST US!
In this end of the Real World [TM], we (consumers) are tired of the
"TRUST US" approach. We've heard that so much that some of us are sick
and tired of it and applaud companies like Trusted Information Systems
and Bekeley Software Design, Inc., who make their sources available (one
free, and one for a fee).
Some of us cannot afford some of these folks saying "TURST US!" I am a
consultant who has installed a small number of firewalls in the last
year (8 or 9, I lost count). My behind is on the line as much, if not
more than the vendor's. Afterall, I am the one who will be sued if
something goes wrong (yes, Mr. McKisson, it does happen). What did I
install? BSDI systems with TIS's FWTK! Why? BSDI has let me see
what's under the hood and TIS lets me get FWTK source for nothing!
And all of my customers have appreciated my reasons: BSDI is a
fantastic company to deal with, the system works, and if something
comes up BSDI responds quickly and sources are available (either by
CD-ROM or find a NetBSD archive on the net). They also like the
Firewall Toolkit because it is source and as long as they are trusting
me to have evaluated it, they know that the possibility for those
"gotchas" do not exist--as in they know what they got!
NOTE TO MARCUS AND TIS: No, I don't "sell" FWTK. I make the customer
get a copy on their own, I charge to install it, configure their
systems and network! They understand my reasonings.
As part of my livelihood, I also teach UNIX system adminstration. One
thing I stopped telling my students was: "if done right, an sysadmin's
daily responsibilities can be done within an hour every morning
(depending on network size, of course). The rest of the day can be
used to put out fires or read news!" Now with every jerk who owns a
modem looking for that "fame and glory" as the next great "internet
hacker," the realities have sysadmins looking for the best tools they
Trust is a real issue down here in the trenches. I am not going to have
my customers install a firewall I cannot trust--and I do not trust a
vendor that says to me "TRUST US." Remember, it's that "TRUST US"
attitude that's going to give headaches to those of us who will have to
support Windoze 9 on a network. Not only because it is a buggy
piece of garbage, but because of what that buggy trash has the potential
to do on a network--something Micro$haft refuses to tell us about.
"TRUST US" echoes out of Redmon, Washington. [EXPLETIVES DELETED] is
the response out of Bethesda, MD!
>Now...if you would like to volunteer to do what NIST, NSA, DISA and
>other information security policy wonking organizations, promulgators,
>implementers, and a number of associations have given lip service to,
>and chair the establishment of a standing committee to come up with a
>draft criteria and standards for evaluation and performance testing for
>COTS firewall products, that then can be used as a guidepost for
>industry and particularly the user community, and lord knows we need
>one, then there just may be some incentive for the vendors to
There's a reason why they are only playing "lip service"... TRUST US!
Vendors don't want the government to tell them how to do their job.
They claim they can do better. "TRUST US" they say. So these
organizations set their own standards and "hope" vendors adhere to them
when selling their goods and services. The vendors laugh and do their
own thing. TRUST US? There will only be a standard when the industry
decides it is ready for one. When its decided it has had enough in
fighting... and even then only reluctantly (see POSIX).
>If you choose to bite that one off, you can count on me to jump in with
>both feet to help you digest it. But baring that, my guess is that
That's cool... "if someone else wants to initiate it, I'll help. But in
the alleged name of free enterprise, I ain't startin' this!" Why not?
If it is that good of an idea and would be that helpful to the
industry, why not jump in and take it on, asking for others to help
you? Oh, I forgot... this can't make money in today's climate so you
really can't endorse it, right?
Yes, I know that was mean and nasty, but I find making a suggestion to
do something positive then saying "if you lead, I'll help" akin to
>until some common sense comes into firewall benchmark discussion,
>you'll just have to be content in continuing to lable most of the other
>vendors who have rightly decided that their source code is not available
"Rightly decided?" By whose standards? Not mine!
Doesn't this strike you as a contradiction? If you're going to come up
with some sort of criteria for performance testing, aren't you going
to have know something about what is inside? If not, what are you
>for examination by whodahellknows, and by whose specmarks, as security
Oh great... we're back to the security by ignorance approach. What a
wonderful idea! If you can't dazzle them with logic, baffle them with
bullsh*t! This is what IBM used to use on their initial releases of
RACF. The same RACF I broke after reading their manuals, making some
logical conclusions, then having their engineers wonder how I figured it
out. I was a student, not an expert MVS programmer at that time!
And that's the point: how many of these hackers are students,
hobbiests, or just plain trouble makers with manuals, modems, and time
on their hands to figure out ways around security? Plenty!! Look at
the new CERT warnings as to the number of attacks on networks by IP
spoofing! I am not plagued by male pattern baldness because I am in my
mid-30s, I'm doing internet security!! :-)
Even though I am a native New Yorker (living in the DC area now), I am
really not a suspicious person by nature. In fact, I have been
faulted for being too trusting at times! But my livelihood--my Real
World [TM]--has me having to defend networks against the Mitnick
wannabes (as sick as it sounds), both internally and externally. I
cannot trust you or anyone else. Not anymore... not the way the net
has (sadly) evolved.
"TRUST US" has to stop and stop now! I have to know what I am
installing or I will not install it. Therefore, as I look for a
firewall product for my current customers, you better be prepared to
play your Missouri game--Show Me! I don't care if you think your
product is the best thing since sliced bread, if you are not going to
show me, you better have some way of showing me that your product
works correctly and efficiently or it will not be considered for
Maybe if others will do the same, the industry will change. Afterall,
nothing speaks louder than public opinion and customers flocking to a
competing product. Just ask Intel!
DISCLAIMER: All opinions expressed above are my own and not of Why
Systems or Disclosure, Inc. I am not an employee of,
nor to I speak for Disclosure, Inc.
com <-- timely responses
com <-- personal email