not that I'm a fan of any firewall product in particular, but... On Thu, 5 Feb 2004, Suresh Ramasubramanian wrote:
"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi@iss.net> writes:
Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163
You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but ..
Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :)
Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely
Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault with the vendor or the person(s) implementing or the 'management' of said person(s)? Even an openbsd firewall is a problem if not properly admin'd.
That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network.
port 22 is bad though, right? Clearly this was the wrong person to be doing this job, he could have just as easily been looking at netflow output and dumped this traffic with an acl on his fancy router... The tool used is immaterial, his level of clue is what is at issue.
while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc.
there is a dilbert about this very thing ;) "Harness the power of CERTIFICATION!!!"
Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :(
Nope, but pointing out their failures in a sensible manner to their management is helpful... sometimes atleast :( Failing any action there the whole group is just shooting themselves in the foot and there isn't much you can do about that, is there? (except to get out of the blast radius)