Paul Melson wrote:
> -----Original Message-----
> Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
>
>> Though i think people who buy Checkpoint stuff are somehow
> non-representative (i think if one tried that with, say, Cyberguard,
>> we'd see completely different picture) the results are still scary. Damn
> scary. That means 80% firewalls could be thrown off with
>> no further harm to security.
> I'd agree that choosing a different product customer set would probably
> yield different results, but I'm not sure that Check Point is going to be
> worse than others. In fact, experience tells me that the small/medium IT
> shops out there that still have their NetScreen-10 or their PIX 510 with the
> same rule set and software on it for 3+ years are even more likely to have
> flawed configs.
Many SMBs have barebones policies. What I commonly see:
- default ANY outbound
- inbound http to a Port address translated web server
- inbound telnet/ssh to some 3rd party application server
(e.g., vacation rental software on SCO boxes with credit card DBs ;-(
- logging to the localhost (appliance) which rolls the logs
(no long term store)
- default admin account, same password today as configured day 1
- IPsec using IKE AG mode with PSK
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2006
Intro
