The answer to most of these questions is "it depends"; they mostly aren't
checklist items, unfortunately they require understanding. This issue
underlies the utter disgust many have for computer audits done by many
auditing firms: unless the customer knows enough to force the auditing firm to
produce experts, they'll just send around junior trainees with checklists on
clipboards, and the customer won't learn anything useful about their security.
Since you ask, lemme recommend my standard firewall bibliography: read these
closely and you won't need to ask some of the questions, for the others you'll
understand what _other_ questions need to be asked before you can try and get
the right answer.
Firewalls and Internet Security
by Bill Cheswick and Steve Bellovin
Addison-Wesley, 1994
ISBN 0201633574
Practical Unix and Internet Security
by Simson Garfinkel and Gene Spafford
O'Reilly & Associates, 1996
ISBN 1565921488
Building Internet Firewalls
by Brent Chapman and Elizabeth Zwicky
O'Reilly & Associates, 1995
ISBN 1565921240
It takes a computer security expert to provide a computer security audit worth
paying for. Most of the big auditing firms probably have them, but in my
experience they won't use 'em unless forced. Which is sad.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
