Look the thread was about considerations for various firewalls.
Eventually it spun off to be considerations and issues with Open Source
options. I was merely pointing out a consideration that some folks have
to take into account. You don't have to like it, agree with it, or even
believe it. But it does happen and it is out there. I was just pointing
it out. Take it for what you want but arguing it is pointless. It's out
there for some of us.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 11/10/2011 10:04 AM, Peter Kristolaitis wrote:
Your hypothetical scenario assumes you're the only organization
compromised by the flaw (or one of very few), and not #3972 on the
list, in which case the company could go bankrupt before a court can
hear your case, and the "liability protection" they offered you is
worth the electrons it's printed on. It's great if you're a Fortune
50 and have the legal, political and financial clout to be #1 on the
lawsuit list, but nearly worthless for most organizations.
- Peter
On 11/10/2011 10:39 AM, -Hammer- wrote:
OK. Right off the bat you know I can't and won't. But in some places
it is common practice to make sure agreements are in place to make
sure all parties are protected based on how a product is
expected/designed to perform. I can't say more than that. Realize I'm
speaking about things that are solely on the vendor. Not "Did you
configure the ACL properly?"
What you can Google is the names of companies who have settled out of
court against various trolling lawsuits vs the names of companies
that are still in litigation. There is a mix of both
manufacturer/vendor and end customer. It all depends on the case.
This shouldn't surprise you. If Toyota makes a defective brake and
you slam into someone else, your insurance covers you. Eventually, if
the issue scales out to the point that it is obvious that Toyota made
a defective brake and it is not your fault, some insurance companies
collectively will go to the government or directly to the
manufacturer for compensation. This is no different. If you sell me a
FW and it catches on fire thru no fault of my own and then the public
finds out that FWs are catching on fire all over the place, it's a
good bet that that FW vendor will be getting some lawsuits. If a FW
vendor reports a product to work a certain way and instead thru a
massive vulnerability or development oversight it does not the same
applies. Software. Hardware. Physical (fire). Logical
(vulnerability). I'm not saying that it happens all the time and I'm
not even saying it's a general practice. What I'm saying is it
happens. And depending on your business vertical it could be a very
real consideration.
COMPLETELY 100% MADE UP HYPOTHETICAL SCENARIO:
I put a FW in. I put proper L3 ACLs in. I block 443 inbound. I didn't
say I block HTTPS. I block 443. I test it by telnetting from the
Internet to 1.1.1.1:443 and I am unable to connect. Looks good. A
month later our CEO is surfing the Internet. Thru a development
oversight in the product, when I NAT or PAT him to the Internet his
source port is not pulled from the Ephemeral range but is instead
sourced as port 443. He of course goes to sites riddled with Malware
because that's what CEOs do. They click on links. So the Malware
website initiates a new TCP session to destination port 443 with his
NATted IP. The state table has an entry for that IP and 443 and even
though this is a new TCP session the FW lets it thru. The malware
site bad guys are able to retrieve confidential information about a
merger and publish it. The other company that we were merging with
sues us because the information is leaked to the public and adversely
impacted their stock value. Everything in the above paragraph is able
to be documented thru forensics and it is indisputable that the FW
was properly configured and should have blocked it but didn't. The FW
did NOT perform as advertised/designed. This is NOT the fault of me
or my company. If a few thousand dollars is at stake nothing may come
of this. If tens or hundreds of millions of dollars are at stake I
promise you that our lawyers will be contacting the manufacturer
whose product did not perform as advertised. They will compensate (in
one way or another) us for our losses. It's a big ugly world full of
lots of lawyers.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 11/10/2011 09:14 AM, Richard Kulawiec wrote:
On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
The other high cost of "free" that people sometimes overlook is
liability.
Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is,
held
responsible by a court of law for a failure of their product to provide
the functionality that it's claimed to provide.
---rsk
