Great Circle Associates Firewalls
(October 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Crystal vs. Black Box
From: peter @ baileynm . com (Peter da Silva)
Date: Sat, 19 Oct 1996 18:13:40 -0500 (CDT)
To: pelicans @ mindspring . com (BeachCruiser)
Cc: ericw @ atd . scs . philips . com, firewalls @ GreatCircle . COM
In-reply-to: <v01540b01ae8c8fd2bd02 @ [168 . 121 . 206 . 219]> from "BeachCruiser" at Oct 18, 96 10:49:45 am

> Well...maybe it's different now, but back in the dark ages in order for
> developers to become rich they had to design and build products that
> offered a better result.

A firewall is insurance. 

Would you buy insurance from a company whose policy was a trade secret
that you couldn't open until you'd suffered a loss? That only opened it
under NDA so you couldn't let other people know if the policy was any
good?

Don't like that? Let's go back to your automotive analogy.

I can open up my car. I can see the components, even if I can't see the
design notes. I can take the engine apart. There are companies who make
a living out of opening up cars and telling people what's inside them.
They publish magazines like Road and Track, Car and Driver, Consumer
Reports. I can go down to the corner store and see that the Corvette
uses a Bosch ignition system (I have no idea if it does, it's just an
example... I could find that out). To get the same information about a
firewall I have to reverse engineer it (and that's against my license)
or look at the source code.

If it turns out that Bosch ignition systems randomly explode and destroy
the engine at 50 MPH, I can drive (below 50MPH) to the dealer and get it
replaced. If it turns out that there's a buffer overflow bug in Borderware
that I can exploit by sending a SYN padded out to 1201 bytes with 0x7F
what am I going to do?

As for "products" protecting the enterprise, wellllll...

Take THAT up with the marketing departments of the firewall companies.

> Third, if I were the CEO of the company that got got hacked, because we
> installed a swisscheese firewall, I would really be interested in knowing
> how in the hell my highly skilled and compensated IT staff came upon the
> decision to allow "a dangerously defective product" to enter the
> organization and create such a mess.

So how is the staff going to know it's a swisscheese firewall if they
can't open it up?

> If anyone is having that kind of a crisis in confidence about ANY product
> let alone a commercially developed security device then for god's sake
> don't buy the product, go hackup your own, or pull the damn ethernet cable
> out of the wall.

That's what they're doing.

> But to those who would suggest that life on electronic
> road will be safe and secure again if only the product developers would
> pull down their pants, I suggest that they might want to seek out an
> occupation where the issues are a bit less of a challenge.

Nobody's saying that. They're saying they don't *know* if they're safe
because they're depending on the developers to not have a hole in their
underware. Why should I buy a car with the hood sealed down and a sales
contract that says I'm not allowed to break the seal?


Follow-Ups:
References:
Indexed By Date Previous: Re: Crystal vs. Black Box
From: attila @ primenet . com
Next: Re: Running out of IPs
From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread Previous: Re: Crystal vs. Black Box
From: attila @ primenet . com
Next: Re: Crystal vs. Black Box
From: Michael Dillon <michael @ memra . com>

Google
 
Search Internet Search www.greatcircle.com