Duncan;
I would be very interested in hearing more about "all" the head to head
tests with CyberGuard you have been involved with as the only one I could
find that ever included your Firewall was the one in Small Business
Computing. Further since when did a head to head test of a Firewall only
include port scanning as the extent of the security analysis as reportedly
done by Small business Computing?
>From the report in Small Business Computing:
The overall score is a weighted average of four subscores:
1. Value (bang for the buck, including vendor support; 30 percent of total)
2. Performance (speed, power, depth of features; 30 percent of total)
3. Ease of Use (considering both setup/installation and daily productivity;
20 percent of total)
4. Suitability for Home Office Use (favoring products designed with
home-based workers in mind, rather than family consumers or corporate IS
managers; 20 percent of total)
Excuse me but where is the security and intrusion testing? This was a
Firewall test wasn't it?
Further from the same review:
CyberGuard Firewall for Windows NT 4.1
We liked CyberGuard Firewall the best of all the products we reviewed. It is
the least expensive Firewall for a 25-seat network, although that price does
not include proxies or a VPN. But it offers the best value of all the
products, and is the most flexible in terms of management and installation.
I fully agree with you that a large number of intrusions are due to
mis-configuration but the object of the user-interface should be to minimize
that possibility. Our user interface must be working as there has never been
a CERT bulletin regarding our Firewall ... how about Elron?
I personally do not interpret easy to install as weak... but I must say it
would certainly be easier to install a Firewall that was limited to one
architecture - stateful inspection only, then one that provided all
architectures Packet Filter, Application Proxy. Circuit Relay and Stateful
Inspection. But then again, the point of a Firewall is security isn't it, so
I guess I can live with taking a few moments longer to configure for the
benefit of the added security.
With respect to your top rated claim, when did Elron receive it's E3 rating?
CyberGuards NT product and UnixWare product both have been awarded E3
certification. Further the UnixWare product is in fact B1 compliant with
full MLS and Mandatory security.
I won't start a debate on stateful inspection as it has it's place in
security, we offer it along with our other more granular approaches for
higher levels of security. The point is we let the end user determine how
much security he desires. Hence it can require a bit more user input during
configuration but the end result is a more granular - more secure Firewall.
Regarding stateful inspection by and of itself, I will however note that in
a recent paper authored by the Computer Security Institute on Firewall
Analysis, CSI security experts made the following observation: "During last
winter's CSI conference in Chicago, at our Meet the Enemy session, hackers
singled out Stateful Inspection as their favorite Firewall to encounter."
CSI went on to comment that "It is quite possible, in fact trivial, to
configure stateful inspection firewalls to permit dangerous services through
a Firewall... Application proxy firewalls, by design, make it far more
difficult to make mistakes during configuration."
Bottom line, if you want to get head to head with our NT product then get E3
certification add a Packet Filter, Application Proxy and Circuit Relay: add
passport one for virtual firewalls, include split DNS and support for LDAP :
CVP compliance for content scanning : add a virtual server to the Firewall
for load balancing: add real OS hardening and add full Firewall redundancy
with the ability to trigger off Firewall events or selected key server
failures behind the Firewall. Want to go head to head with our UnixWare
product add the above to orange book B1 compliance with complete Multi Level
Security and Mandatory Security. After all I only want to be fair about
it.........
Paul A. Henry
CyberGuard
The opinions expressed herein are mine and mine alone
> -----Original Message-----
> From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]>
> [mailto:[EMAIL PROTECTED]] <mailto:[mailto:[EMAIL PROTECTED]]>
> Sent: Friday, February 19, 1999 11:05 AM
> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]; <mailto:[EMAIL PROTECTED];>
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Subject: RE: Elron Firewall
>
> Elron's CommandView firewall has been completely reworked.
> We acquired the OnGuard Firewall from ON Technology Corporation a year
and a
> half ago. ONGuard was a standalone, with a proprietary OS (Secure32OS),
that
> ON Technology shipped pre-installed on a 486 box (!).
> We've ported the firewall to NT, and enhanced both the Secure32OS version
> and the NT(CommandView) version. Both versions are software only,
stateful
> inspecting (SMLI) firewalls that were built with a priority on ease of
> installation and configuration. A lot of people have interpreted 'easy to
> install' as simple or weak. It's the, "if it's not a pain to configure it
> can't be any good" line of reasoning. We just put more work into the User
> Interface and install routines, than other vendors did.
> Based on all the head to head comparisons we've entered, the product
> performs well. [See this month's Small Business Computing and
Communications
> mag for example, where we were top-rated, and bested CyberGuard,
AltaVista,
> Guardian, and NetFortress in the small-to-medium category].
> Given that one study pointed to improper configurations resulting in 94%
of
> all successful instrusions, I'm surprised that more companies have spent
the
> time to simplify their install/configuration code.
> We're working on enhancements to both versions, in particular the NT
version
> will be integrated into the CommandView family, with our Internet
Manager
> (http blocking and monitoring), Bandwidth Optimizer (bandwidth allocation
> and monitoring), and soon to be released content filtering product.
> Hope this helps.
> Duncan Perry
> Elron Software, Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
