On Mon, 14 Oct 2002, Philip J. Koenig wrote: > The title of the advisory begins "Multiple vendors' firewalls do > not.." The title is accurate. > But when I read through it and looked at the vendor list, there was > only a single vendor listed as "vulnerable". Everyone else was > listed as either "not vulnerable" or "unknown". So logically, where > does this "Multiple vendors firewalls.." come from? From CERT's perspective, it came from the information they were provided. I'm not sure if folks who were vulnerable and are fixed have reported in as not vulnerable, or (more likely) CERT just hasn't gotten vendor statements from vendors who were vulnerable. > When I read an advisory like that, I care much more about finding out > *when* the problem was fixed, than the fact that a patch from 30 > minutes ago fixed that vendor's vulnerability. Because as someone > else mentioned, most of the world isn't running today's release. There are two sides to this- one side says that you should keep up with the vendor you've chosen, and let them arbitrate when you should upgrade (and in a comodity market, this isn't necessarily a bad thing- the difference between "want to know" and "need to know" is pretty far apart for *most* firewall customers these days- as is the difference between "understands the vulnerability note" and "chocolate ice cream." Would I like to see which firewalls failed testing? Sure! Do I *need* that information? "Ice cream!" If you're trusting a vendor to protect your networks, then you need to trust them to keep their code current, and you have to keep up with that- vendors fix a lot of bugs in their code that don't go to announcements- so if the decision point is "should I upgrade," the answer is always "Yes." > So what I *want* to see, in the initial listing, instead of "not > vulnerable", is "fixed". I will then assume that those listed as > "not vulnerable" were "never" vulnerable, and for the ones listed as > "fixed" I will drill down further and look at the specific versions > and dates when the problem was fixed. The current way that they're > listed in the CERT advisory, therefore, is *not* helpful to me. It > wastes my time, and it gives a false initial impression of what is > and is not vulnerable. In their defen[c,s]e, CERT isn't responsible for vendor responses, which is part of the reason that I've been pushing some of the buttons I've been pushing in the thread... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 06:05:32 PDT