"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi@iss.net> writes:
Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163 You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but .. Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :) Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely dumb people to brand themselves "firewall admins". Like the "admin" at a now defunct Indian ISP where my former employer had several machines colocated. That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network. Getting locked out of all my ssh sessions, having to drive 20 km to the datacenter, and then having to reset the block myself while my boss was still arguing with the "admin" was kind of an interesting experience, I must say. Yes, his checkpoint management console, running on an unpatched hp/ux 10.2 machine, was up and running, and we just walked right into the NOC to argue with him. That made it quite easy to click the right buttons while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc. Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :( srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations