This is a discussion on Re: [fw-wiz] FW appliance comparison - Seeking input for the forum - Firewalls ; Just because (no offence implied) Cyberguard is an "intelligent choice" and Checkpoint usually means "relying on market leader" with possible lack technical analysis. That's why. Not always. Just usually. Or at least sometimes. (well, for PIXen i do not see ...
Just because (no offence implied) Cyberguard is an "intelligent choice" and
Checkpoint usually means "relying on market leader" with possible lack technical
analysis. That's why.
Not always. Just usually. Or at least sometimes.
(well, for PIXen i do not see a reason for them to exist at all, except
"our network is Cisco-based" which does look valid for me. If you need a
good packet filter, get a Netscreen)
And, after all, implicit rules are terrible so Checkpoint config is quite obscure.
On Wed, Jan 25, 2006 at 11:14:06PM +0200, Avishai Wool wrote:
> On 1/25/06, ArkanoiD
> > nuqneH,
> > Though i think people who buy Checkpoint stuff are somehow non-representative
> > (i think if one tried that with, say, Cyberguard, we'd see completely
> > different picture)
> WIth all due respect, I must disagree on two counts:
> 1) like it or not, there are LOTS of Check Points out there, protecting
> networks that we as an industry and we as individuals should care about:
> our banks, schools, governments, telecom carriers, whatever.
> So they "represent" a huge chunk of "firewall space".
> 2) My conclusion from that paper is NOT that "Check Point sucks".
> I don't think it's fundamentaly worse or better than other vendors.
> In fact, I believe that firewall misconfigurations are only marginally
> by the choice of vendor. I have raw data for a bigger study that
> includes Cisco PIXes too - and the picture isn't prettier.
> IMHO, the root causes for misconfigurations are human: we people
> just can't wrap our heads around the
> complexity of big firewall configs. The data shows a striking correlation
> between rulebase complexity and number of errors. If you want a
> 1-line conclusion: keep your config small if you want it to be secure.
> So why would Cyberguard, or any other product, be better configured? The same
> types of people, in the same organizations, would run it... or is Cyberguard
> only sold to admins that pass a cluefullness test?
> > On Wed, Jan 25, 2006 at 05:32:49PM +0200, Avishai Wool wrote:
> > > Paul didn't say where he got that tidbit from (and 87.3% of all statistics
> > > are made up anyway :-) but if you want some hard numbers to back up
> > > the spirit of his claim, you can check out:
> > >
> > > A. Wool. A quantitative study of firewall configuration errors.
> > > IEEE Computer, 37(6):62-67, 2004.
> > > http://www.eng.tau.ac.il/~yash/computer2004.pdf
> > >
> > > Cheers
> > > Avishai
> > > --
> > > Avishai Wool, Ph.D.,
> > > Chief Technical Officer, Algorithmic Security Inc.
> > > http://www.algosec.com
> > > **** Want to audit or debug your firewall's policy? ***
> Avishai Wool, Ph.D.,
> Chief Technical Officer, Algorithmic Security Inc.
> **** Want to audit or debug your firewall's policy? ***
firewall-wizards mailing list