My understanding of the vulnerabilities were that they were mostly due to
improper (loose) configuration. With few exceptions such as some of the more
recent DOS attacks. These attacks affect other stateful firewalls as well
(PIX). Most of the holes presented in the conference are curable simply
through proper firewall configuration. Bottom line...firewalls should be
configured and administered by trained professionals. Software should always
be updated and patched, as is true with any OS as well.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Paul D. Robertson
> Sent: Saturday, July 29, 2000 10:25 AM
> To: Michael Rasmussen
> Cc: [EMAIL PROTECTED]
> Subject: Re: Checkpoint Vulnerabilities???
>
>
> On Thu, 27 Jul 2000, Michael Rasmussen wrote:
>
> > Word has it from some colleagues that Checkpoint was just made to look
> > like swiss cheese at the Black Hat conference in Las Vegas.
> > Supposedly the full information will be available next week, and
> > Checkpoint has released a service pack today to fix, or supposedly fix
> > some of the problems. I was told that a group demonstrated a number
> > of holes and vulnerabilities that have not been released yet, but they
> > have been working with Checkpoint to get them fixed before disclosure.
> >
> > Is anyone aware of the details? If this is true - it is not good for
> > Checkpoint!!! - [To unsubscribe, send mail to [EMAIL PROTECTED]
>
> A pretty good summary was posted to the firewall-1 mailing list, I'm not
> sure if Checkpoint archives it or if any 3rd parties do. The exploits
> were all pretty varied and included module athentication replay and brute
> forcing, FWZ encapsulation, anti-spoofing errors in configuration, FIN
> scanning, PASV and rsh errors. They included some recommendations in the
> presentation. Dug's poped up here before, so hopefully he'll be able to
> post a link to the slides soon if he's actively reading it. I've already
> packed everything, and I don't want to mess up anything with vague
> recollections. [but I'll try anyway- my notes are already packed though]
>
> Blocking access to the auth port and dropping FWZ at the border seems to
> be a good mitigation to me if you haven't already drunk the purple VPN
> Koolaid, along with blocking broadcast and multicast addresses, not using
> ANY, not turning off localhost inter-module authentication, don't stick
> publicly writable FTP servers behind FW1 (it's a good excuse to drop FTP
> as a protocol...), upgrade and apply the patches, watch the fastpath stuff
> or don't use it, make sure your anti-spoofing rules are complete and
> correct.
>
> Paul
> ------------------------------------------------------------------
> -----------
> Paul D. Robertson "My statements in this message are
> personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> PSB#9280
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
