At 02:07 PM 10/28/96 -0700, Douglas Cheline <dcheline @
>Ok, Here's the $64,000 dollar question: Which is the most secure
>From one who performs vendor-neutral firewall evaluations/penetration testing,
the answer is....... "there is no such animal".
Most firewalls on the market today will NOT protect your company adequately
from the hazards of the Internet. The ones which *can* protect your company
adequately are few in number (@<5). Of these, each of these has features
which are best in some environments and inappropriate in others. There is
no "one size fits all". BTW, most of the ones on your short list wouldn't
cut it IMHO. I would need to know more about your environment (offline
please) before I could respond with a qualified answer. (I'm not wild
about asking probing questions about your company's business & security
requirements where the entire planet can see the results.)
BTW, as you may see from the .sig file below, there is a Free Internet
Firewall Evaluation Checklist which should be useful in the process of
doing your research. (Of course, the Commercial version will help you
ask the _really_ pertinent questions which will narrow the playing field
>I am in the process of choosing a firewall vendor and I'd like to know
>what "the word on the street" is in terms of the "BEST" security. I've
>seen some independent tests done (NCSA's assessment and RSA
>interoperability test) but none come out and say: "Product X is the
>best in terms of security because......" So, if you've done some tests,
>or have read information that may define a clear leader, you could
>really help me out.
The "independent tests" from NCSA & some others are inadequate to say
the least. (I'm trying to be kind here.) I have evaluated a number of
different firewalls and can say that the bulk of the ones which passed
NCSA's "tests" would not stand up to our tests. Most of the "NCSA
certified" firewalls are vulnerable to seeral different types of attacks.
I used to have the highest regard for NCSA. The results of their
recent testing of Anti-Virus & Firewall products have been very
disappointing. I hope that their testing methodologies will become
more vigorous and that they will "raise the bar" regarding what they
will certify. Until then, their certification isn't worth the paper
it is printed on or the bytes it takes up on disk space.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist