[Please note this is entirely personal opinion and I have nothing to do
with my employer's firewalls or firewall programs- and I'm even on
vacation :)]
On Mon, 31 Jul 2000, Jerald Josephs wrote:
> I would say about 90% of the vulnerabilities can be dealt with
> a proper configuration, but the out-of-box experience of FireWall-1
> does not completely address this.
This, of course assumes that your local userbase is non-hostile and
internal machines are not compromised or your configuration is especially
paranoid. As was presented, the misconfiguration errors are common for
external interfaces- I can't imagine the summer hire in the mailroom being
able to drop the firewall rulebase as a good thing even if external
anti-spoofing is enabled.
> So far, we have learned about new vulnerabilities with FireWall-1, but
> that doesn't mean that other firewalls are less vulnerable. I perceive
> FireWall-1
> to be the most likely to attract scrutinization and it is a matter of time
> before we
> learn about the weaknesses within other products.
1. Nobody else does FWZ encapsulation. One of the slides indicated that
it's a feature without an off switch?
2. If everyone else has that many bad auth schemes, we're in very bad
shape.
3. You can't fool a proxy server with fragged packets. That's one reason
I've always advocated having application layer gateways in the middle
of a firewall architecture.
4. You can't FIN scan through a proxy server.
5. You can't force broadcast or multicast traffic through a proxy server.
(Funnily enough, I don't recall anyone recommending "Security Servers" as
a "fix" for the FTP stuff- is that because they're overlooked or just not
as Application Layerish as they've been pushed?)
While I've *personally* got a low level of confidence in all the vendors'
products I've dealt with [at my last company] (most of the reason I don't
run production firewalls anymore), I think it's unfair to spin it as
unimportant or due to irresponsible administrators or installers when the
marketing machine has been preaching ease-of-use for years. We all know
how little upgrade discipline there is at most small and mid-sized
companies (RDS has been patched for how long?.) Also, subnetting isn't
easy for most people who set up and run networks at small companies, and I
can see how 10-15% of installations could be vulnerable just due to
someone trying to subnet between their DMZ/internal network. I can't
count the number of times I've seen an interface or route
incorrectly/accidently supernetted to a /24 at a small site.
To be fair, Checkpoint handled this better than I've ever seen a vendor
handle such an incident. If you want warm fuzzies, get them from there,
not from wishing that there weren't a lot of inexperienced people landed
with a technology they don't understand. [I wonder if anyone's going
through customer contacts urging them to upgrade?]
I've found bugs in at least half the firewall products I've installed,
tested or evaluated. That's why I like to run firewalls where I have the
source code available. That obviously doesn't scale to a mass market
without different dynamics than the current one though.
> I have definitely bought into the VPN punch, but I left FWZ a long time ago.
You're in the US, not all FW1/Nokia/Fore/Who_ever customers have had the
oppertunity to use the alternative until recently. I also seem to recall
mention of not being able to disable FWZ?
> Regardless
> of the protocol, VPNs are emerging because they are the only way that the
> Internet
> can scale into the realm of IPV6.
No, VPNs are emerging because companies want something for free or almost
free and they don't understand encryption boundaries. IANA policies not
withstanding, there's enough address space for a while, and proxies and
masquarading (many-to-one NAT) take care of anything that doesn't fit
pretty well. There are enough encrypting transports that the cascading
headers can't be much of a v6 advantage for average users either.
VPNs wouldn't be so successful if they weren't sold as network security
products, even though their propeties are for transport security not
network security.
[Good thing you didn't get me started on the anti-VPN rant at BlackHat!]
> From: "Robert Stanley" <[EMAIL PROTECTED]>
> > recent DOS attacks. These attacks affect other stateful firewalls as well
> > (PIX). Most of the holes presented in the conference are curable simply
I'd appreciate it if Robert could quantify which of the BlackHat published
vulnerabilities also affect PIX, since all I've seen to date has been
speculation. I also think pluralizing "firewalls" is specious when naming
a single other product.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
