>From: Danny Cox <dannyc @
>Date: Fri, 8 Sep 1995 12:45:48 +0100
>To: firewalls @
>Subject: upgrade to commercial firewalls
>Sender: firewalls-owner @
>Management here seems to have a healthy attitude to security - bordering on
>the paranoid if anything, but willing to spend the money, which is good.
>Just talking now with one of the senior managers .. our current situation is
>that I've built a firewall router using SOCKS .. my next step may have been
>to upgrade using the TIS fwtk stuff ..
>Interesting comment though from him, which in my naivete I'd not thought
>about. If we get attacked and lose software/data etc, then who's liable ?
>If we use freeware products, then noone is. If we use a commercial product,
>then we can, I guess, sue the firewall supplier ... ? At least that was
>his comment, and I'd be very interested to hear what you all think to this
>concept. This is based on the idea that they'd be covered by their indemnity
>Thanks all, I appreciate your time,
This exact same point has been raised repeatedly at my company, a large financial
services firm with a "healthy bordering on paranoid" concern about security.
The ability to assign blame in the event of problems is a very significant
consideration in the acquisition of important systems and services. And if
you think about it from the management point of view there is a certain
logic to it: if we suffer a business loss due to the failure of "home grown"
or "roll your own" (terms of disparagement here...) software then the blame
must fall on those permitting/approving/performing that software development.
If a commercially acquired and configured product failed then it's just "well,
vendor X let us down again". A fairly common and believable situation here.
The possibility of actually collecting financial damages seems to be less
important than the exculpatory assignment of responsibility. I don't think
anyone really thinks we could pry money out of a major vendor because of software
defects, especially not for incidental damages.
Keep in mind also that any significant decisions about deploying a firewall
will be made by upper management, all business types far removed from any
close appreciation of the technical nuances. With all the confusing and
conflicting advice and information they get from vendors, trade rags, and
in-house staff they really don't what to believe. Those of us in the boiler room
are close to the issues and have definite opinions, but we are only a small
piece of the real decision process.
The bigger and better known the vendor the more powerful the attraction of
this argument. Hence a strong predisposition to well known and well marketed
products, with cost and product quality often very secondary considerations.
Steve Marquess steve @
Residential Services Corp. of America
7445 New Technology Way (301) 815-6219 voice
Frederick, MD 21701 (301) 815-6515 fax