This is a discussion on Re: [fw-wiz] FW appliance comparison - Seeking input for the forum - Firewalls ; On 1/25/06, ArkanoiD wrote: > nuqneH, > > Though i think people who buy Checkpoint stuff are somehow non-representa= tive > (i think if one tried that with, say, Cyberguard, we'd see completely > different picture) WIth all due respect, ...
On 1/25/06, ArkanoiD
> Though i think people who buy Checkpoint stuff are somehow non-representa=
> (i think if one tried that with, say, Cyberguard, we'd see completely
> different picture)
WIth all due respect, I must disagree on two counts:
1) like it or not, there are LOTS of Check Points out there, protecting
networks that we as an industry and we as individuals should care about:
our banks, schools, governments, telecom carriers, whatever.
So they "represent" a huge chunk of "firewall space".
2) My conclusion from that paper is NOT that "Check Point sucks".
I don't think it's fundamentaly worse or better than other vendors.
In fact, I believe that firewall misconfigurations are only marginally
by the choice of vendor. I have raw data for a bigger study that
includes Cisco PIXes too - and the picture isn't prettier.
IMHO, the root causes for misconfigurations are human: we people
just can't wrap our heads around the
complexity of big firewall configs. The data shows a striking correlation
between rulebase complexity and number of errors. If you want a
1-line conclusion: keep your config small if you want it to be secure.
So why would Cyberguard, or any other product, be better configured? The sa=
types of people, in the same organizations, would run it... or is Cyberguar=
only sold to admins that pass a cluefullness test?
> On Wed, Jan 25, 2006 at 05:32:49PM +0200, Avishai Wool wrote:
> > Paul didn't say where he got that tidbit from (and 87.3% of all statist=
> > are made up anyway :-) but if you want some hard numbers to back up
> > the spirit of his claim, you can check out:
> > A. Wool. A quantitative study of firewall configuration errors.
> > IEEE Computer, 37(6):62-67, 2004.
> > http://www.eng.tau.ac.il/~yash/computer2004.pdf
> > Cheers
> > Avishai
> > --
> > Avishai Wool, Ph.D.,
> > Chief Technical Officer, Algorithmic Security Inc.
> > http://www.algosec.com
> > **** Want to audit or debug your firewall's policy? ***
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
**** Want to audit or debug your firewall's policy? ***
firewall-wizards mailing list