Paul,
I personally don't disagree with any of your statements but I feel that all
applications, firewall or other, if improperly configured and or unpatched
become the source of the problem. We can argue that Proxy vs. Stateful vs.
Filter have different issues and benefits etc. The bottom line is that they
are all software, are all written by people and people make mistakes. If a
system administrator or company isn't willing to accept the implications, or
take responsibility to update and maintain, then they have only themselves
to blame. In response to your comment regarding PIX I believe that both PIX
and FW-1 suffer the frag DOS attack. If I had the time...and I don't, I
would test every commercially available FW application for similar issues.
Someone with a PIX posted this issue on this list:
I'm seeing some bad stuff on a Cisco PIX firewall. Sometimes the
> firewall will completely slow to a crawl. The console output will show
> nothing but the following error message displayed over and over:
>
> fh_insertb: too many connections(12) in set
>
> Cisco web site says that:
>
> "IP packets fragmented into more than 12 elements cannot pass through the
> PIX Firewall. When detected, the following console message appears:"
> (above error message is then listed)
<snip>
> Talking with Cisco, they say that the PIX is simply being overloaded
> by these fragments and there's nothing that can be done on the PIX. It
> has to be blocked upstream. What I'm trying to determine is:
>
> 1. If this is correct.
> 2. How to block it upstream on a Cisco router on a basis other than
> source IP.
Humm, sounds like the same thing Checkpoint said about FW-1 getting
overloaded by this traffic pattern a month or two ago. ;)
http://www.checkpoint.com/techsupport/alerts/list_vun.html
IP Fragmentation Denial of Service - The mechanism used to log invalid IP
fragments consumed a large amount of CPU resources during an IP
fragmentation attack.
Robert.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Paul D. Robertson
> Sent: Tuesday, August 01, 2000 7:48 AM
> To: Jerald Josephs
> Cc: Robert Stanley; Michael Rasmussen; [EMAIL PROTECTED]
> Subject: Re: Checkpoint Vulnerabilities???
>
>
> [Please note this is entirely personal opinion and I have nothing to do
> with my employer's firewalls or firewall programs- and I'm even on
> vacation :)]
>
> On Mon, 31 Jul 2000, Jerald Josephs wrote:
>
> > I would say about 90% of the vulnerabilities can be dealt with
> > a proper configuration, but the out-of-box experience of FireWall-1
> > does not completely address this.
>
> This, of course assumes that your local userbase is non-hostile and
> internal machines are not compromised or your configuration is especially
> paranoid. As was presented, the misconfiguration errors are common for
> external interfaces- I can't imagine the summer hire in the mailroom being
> able to drop the firewall rulebase as a good thing even if external
> anti-spoofing is enabled.
>
> > So far, we have learned about new vulnerabilities with FireWall-1, but
> > that doesn't mean that other firewalls are less vulnerable. I perceive
> > FireWall-1
> > to be the most likely to attract scrutinization and it is a
> matter of time
> > before we
> > learn about the weaknesses within other products.
>
> 1. Nobody else does FWZ encapsulation. One of the slides indicated that
> it's a feature without an off switch?
> 2. If everyone else has that many bad auth schemes, we're in very bad
> shape.
> 3. You can't fool a proxy server with fragged packets. That's one reason
> I've always advocated having application layer gateways in the middle
> of a firewall architecture.
> 4. You can't FIN scan through a proxy server.
> 5. You can't force broadcast or multicast traffic through a proxy server.
>
> (Funnily enough, I don't recall anyone recommending "Security Servers" as
> a "fix" for the FTP stuff- is that because they're overlooked or just not
> as Application Layerish as they've been pushed?)
>
> While I've *personally* got a low level of confidence in all the vendors'
> products I've dealt with [at my last company] (most of the reason I don't
> run production firewalls anymore), I think it's unfair to spin it as
> unimportant or due to irresponsible administrators or installers when the
> marketing machine has been preaching ease-of-use for years. We all know
> how little upgrade discipline there is at most small and mid-sized
> companies (RDS has been patched for how long?.) Also, subnetting isn't
> easy for most people who set up and run networks at small companies, and I
> can see how 10-15% of installations could be vulnerable just due to
> someone trying to subnet between their DMZ/internal network. I can't
> count the number of times I've seen an interface or route
> incorrectly/accidently supernetted to a /24 at a small site.
>
> To be fair, Checkpoint handled this better than I've ever seen a vendor
> handle such an incident. If you want warm fuzzies, get them from there,
> not from wishing that there weren't a lot of inexperienced people landed
> with a technology they don't understand. [I wonder if anyone's going
> through customer contacts urging them to upgrade?]
>
> I've found bugs in at least half the firewall products I've installed,
> tested or evaluated. That's why I like to run firewalls where I have the
> source code available. That obviously doesn't scale to a mass market
> without different dynamics than the current one though.
>
> > I have definitely bought into the VPN punch, but I left FWZ a
> long time ago.
>
> You're in the US, not all FW1/Nokia/Fore/Who_ever customers have had the
> oppertunity to use the alternative until recently. I also seem to recall
> mention of not being able to disable FWZ?
>
> > Regardless
> > of the protocol, VPNs are emerging because they are the only
> way that the
> > Internet
> > can scale into the realm of IPV6.
>
> No, VPNs are emerging because companies want something for free or almost
> free and they don't understand encryption boundaries. IANA policies not
> withstanding, there's enough address space for a while, and proxies and
> masquarading (many-to-one NAT) take care of anything that doesn't fit
> pretty well. There are enough encrypting transports that the cascading
> headers can't be much of a v6 advantage for average users either.
>
> VPNs wouldn't be so successful if they weren't sold as network security
> products, even though their propeties are for transport security not
> network security.
>
> [Good thing you didn't get me started on the anti-VPN rant at BlackHat!]
> > From: "Robert Stanley" <[EMAIL PROTECTED]>
>
> > > recent DOS attacks. These attacks affect other stateful
> firewalls as well
> > > (PIX). Most of the holes presented in the conference are
> curable simply
>
> I'd appreciate it if Robert could quantify which of the BlackHat published
> vulnerabilities also affect PIX, since all I've seen to date has been
> speculation. I also think pluralizing "firewalls" is specious when naming
> a single other product.
>
> Paul
> ------------------------------------------------------------------
> -----------
> Paul D. Robertson "My statements in this message are
> personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> PSB#9280
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
