hi,
first of all, please ensure that you send ASCII text only, so no bold,
no html... it's like posting your message in chinese. not that chinese
is a bad language, but we are not many to understand it....
second to none, breaking FW1 means that FW1 has problems, not that
firewalls have problems. It's never good to be fast to conclusions...
(If not convinced, ask your girlfriend).
but let's get back to the recommendations...
The "multiple lines of defense" approach is of no help. It's not a question of
quantity, it's a quality thing. So, increasing the number of firewalls doesn't
solve the problem. The old principle still holds: you're as weak as your
weakest element. If you fear plane crashes, the solution doesn't consist
of changing planes often. After all, a plane that crashes, crashes
in a single place! Also, as the Concorde lately showed, the most expensive
is the not the safest.
Trying to solve one question when you have many generally result in the wrong
answer. installing many FWs is a source of problems, and you will end with
more problems than you originally had.
If you're playing a chess game against a good player, do not hope to get safe
just by putting pieces in some squares. you have to put the right piece in the
right square.
Finally, if the event shows that FW1 is vulnerable, then my recommendation
is o switch to another product, such as the Gauntlet (I don't work for NAI,
it simpy happens that I know this one better than others).
But after all, the weakest element in the chain is the brain, and there's no
upgrade available...
regards,
mouss
At 19:04 29/08/00 -0700, Steven Pierce wrote:
>Thank you. That was good. One of the questions that I have is the text in
>bold.
>What kind of multiple lines of defense can someone use?? Does this mean
>more then one firewall or just many layers of security.??
>
>The panel also recommended a number of additional steps for "hardening"
>firewalls, including use of strong authentication protocols, "anti-spoofing"
>mechanisms and highly restrictive access rules. At the same time, they
>called on the IT community to abandon the "single firewall" model of network
>security and implement multiple lines of defense.
>
>
>*********** REPLY SEPARATOR ***********
>
>On 8/29/2000 at 8:54 PM Eessa Kamal wrote:
>
>I am sure the following article is appropriate for this forum...
>
>
>Date: Sun, 13 Aug 2000 19:52:47 PDT
>From: "Peter G. Neumann"
>Subject: Hackers breach Firewall-1
>
>[Source: David Raikow, Sm@rt Partner, 2 Aug 2000
>http://www.zdnet.com/zdnn/stories/news/0,4586,2610719,00.html]
>
>An audience of several hundred network security professionals watched
>with
>rapt attention last week as a trio of hackers repeatedly penetrated one
>of
>the industry's most trusted and popular firewall products -- Checkpoint
>Software's Firewall-1. The demonstration, presented at the "Black Hat"
>security conference in Las Vegas, challenged the widely accepted notion
>that
>firewalls are largely immune to direct attack.
><SNIP>**********************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
