On 1/25/06, ArkanoiD wrote:
> nuqneH,
>
> Though i think people who buy Checkpoint stuff are somehow non-representa=

tive
> (i think if one tried that with, say, Cyberguard, we'd see completely
> different picture)


WIth all due respect, I must disagree on two counts:

1) like it or not, there are LOTS of Check Points out there, protecting
networks that we as an industry and we as individuals should care about:
our banks, schools, governments, telecom carriers, whatever.
So they "represent" a huge chunk of "firewall space".

2) My conclusion from that paper is NOT that "Check Point sucks".
I don't think it's fundamentaly worse or better than other vendors.
In fact, I believe that firewall misconfigurations are only marginally
influenced
by the choice of vendor. I have raw data for a bigger study that
includes Cisco PIXes too - and the picture isn't prettier.

IMHO, the root causes for misconfigurations are human: we people
just can't wrap our heads around the
complexity of big firewall configs. The data shows a striking correlation
between rulebase complexity and number of errors. If you want a
1-line conclusion: keep your config small if you want it to be secure.

So why would Cyberguard, or any other product, be better configured? The sa=
me
types of people, in the same organizations, would run it... or is Cyberguar=
d
only sold to admins that pass a cluefullness test?

Avishai

> On Wed, Jan 25, 2006 at 05:32:49PM +0200, Avishai Wool wrote:
> > Paul didn't say where he got that tidbit from (and 87.3% of all statist=

ics
> > are made up anyway :-) but if you want some hard numbers to back up
> > the spirit of his claim, you can check out:
> >
> > A. Wool. A quantitative study of firewall configuration errors.
> > IEEE Computer, 37(6):62-67, 2004.
> > http://www.eng.tau.ac.il/~yash/computer2004.pdf
> >
> > Cheers
> > Avishai
> > --
> > Avishai Wool, Ph.D.,
> > Chief Technical Officer, Algorithmic Security Inc.
> > http://www.algosec.com
> > **** Want to audit or debug your firewall's policy? ***



--
--
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
http://www.algosec.com
**** Want to audit or debug your firewall's policy? ***
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards