Hi Mouss,
> > > Finally, if the event shows that FW1 is vulnerable, then my recommendation
> > > is o switch to another product, such as the Gauntlet (I don't work for NAI,
> > > it simpy happens that I know this one better than others).
> >
> >Would you say that SINIX is more secure than Solaris?
>
> That'll be at least the 3d time, but let me repeat it again. "such as"
> means this
> is an example, the "recommendation" is to switch _IF_ "the event shows...".
Well, I did not use "such as" but I meant SINIX to be an example for
something more obscure and Solaris for something very well known.
> > After all, I can
> >hardly remember any published vulnerability. *g* And this is exactly the
> >point that I have forgotten to make: Up to now probably not that many
> >whitehats have bothered to closely examine firewalls apart from
> >FireWall-1, since you hardly find any at customer sites.
>
> oh yes, and no medicine has been found for AIDS because it is rare?
No. I am saying that no medicine has been found for many of the health
problems in some places of the earth, because hardly anyone does
research in the field of these rare deseases. I am not stating that
there aren't any firewalls that could withstand thorough examination.
However, if thorough examination is not done, then we do not know.
Perhaps some of the health problems would not be very hard to solve.
This would be equivalent to an insecure firewall, the insecurity of
which has not been discovered because of the relative lack of interest
in that particular firewall. Your AIDS comparison would correspond to a
firewall that withstands thorough scrutiny. I am not saying that such a
firewall does not exist.
> My friend, gimme facts, just facts. FW1 vulnerbailities are a fact.
> The rest is conjectures.
The statement that anything is more secure than FireWall-1 is a
conjecture as well, since hardly anything has been tested that
thoroughly. I am just saying that in the area of security it might be
wiser to err on the safe side and assume a firewall to have
implementation issues. Nothing more, nothing less. Hence the two lines
of defence.
> > (Although I am
> >told such things exist. *g*) Same with DG/UX. So, at the moment, I would
> >recommend people to prefer FireWall-1 over Gauntlet _because_ the
> >vulnerabilites have been found and FireWall-1 now has _less_
> >vulnerabilites than before.
>
> Are you really serious?
Hmmmm, yes. But now that I think about it, it really is a bit like you
state below. We have really learnt a lot about FireWall-1 and its
implementation. And from I have seen, I think that it is a good design.
It is not only the amount of bugs that we found. It's basically the
things that we liked and which we did not present. The Black Hat
Briefings perspective is a bit biased. We only showed the weaknesses.
Not the strengths.
> so, you will also say that windows2000 is more stable than Solaris,
> given the number of fixed bugs?
>
> Just because you take 2 balls from a bag doesn't mean it will contain less
> balls
> than a second bag.
True, you are right. But during the testing of FireWall-1 we have
learned that it contains quite some clever design decisions. It is not a
bad implementation at all. That is exactly why I think that Check
Point's engineers and designers are not necessarily worse than the staff
at other vendors.
> First, finding some bugs is not finding all the bugs, and one of software
> dev principles
> is that the number of remaining bugs is generally an increasing function of
> the number
> of those lready found. The more you find, the more you should think there are.
He he, the OpenBSD people have found quite a lot of bugs, haven't they?
:-)
> But I'll tell you what I think: You recommend FW1 over Gauntlet, probably
> because
> you know it (FW1) much more.
Yes, I know a lot about FireWall-1. But let us get back to where we came
from. To the two lines of defence. Otherwise we will still be bickering
in ten years about whether FireWall-1 is worse than other products.
Cheers
-Thomas
--
Thomas Lopatic, TUeV data protect GmbH, [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
