Well, maybe "thrown off" is wrong, "replaced with cheap chinese NAT
linux box" is more correct. It is better than nothing but not much more.

On Wed, Jan 25, 2006 at 11:01:08AM -0600, Behm, Jeffrey L. wrote:
> On Wednesday, January 25, 2006 10:19 AM, ArkanoiD so spake:
> >Though i think people who buy Checkpoint stuff are somehow

> non-representative
> >(i think if one tried that with, say, Cyberguard, we'd see completely
> >different picture) the results are still scary. Damn scary. That means

> 80%
> >firewalls could be thrown off with no further harm to security.

> Now wait a minute...I won't argue the "Checkpoint buyers may be
> non-representative" statement, but that's too much of a jump of logic
> for me to go from "misconfigured firewalls" to "firewalls [that] could
> be thrown off with no further harm to security," especially because the
> study only looked at 12 representative[1] components of the ruleset (2
> of which were admittedly controversial). Surely having the firewall,
> even with all 2 "errors" is better than having no firewall at all. A
> more realistic conclusion could be that having more than half
> (two-thirds? etc.) of the representative errors, indicates that the
> administrator either doesn't know what he/she is doing, or was forced by
> mgmt to configure it in a non-secure manner (or both).
> Jeff
> [1] As representative as possible, given the potentially hundreds or
> thousands of possibilities. The fact that such a study was even done at
> least gives one a gauge from which to guide new/seasoned admins. I look
> at it like the SANS Top 10 security holes, that gives one another data
> point from which to learn.

firewall-wizards mailing list