Enterprise Firewalls

Your hands are tied?

So what? I work for an OPSEC partner and we developed alot of ****. Plus, check my posts on the firewall-1 wizards list hosted by phoneboy, it prooves that I DO know what I'm talking about, unlike what you said in your AntiPoint.

I'm not saying that CP just says "hey, here's an unfixed vulerabilioty", I have passed by a few that were not fixed, so? is this like saying "those BH2001 vuln.s were really bad"? those were BULLSHIT. Would you please at least note something wrong of what I said?

Also, would you mind helping us find those un-fixed-vulns-of-CP?

Well, O Well, are you arguing some gay paper like http://www.avolio.com/apgw+spf.html ? I think that is the most ridiculous paper I ever read, In his paper, he considers CP's limit in not-looking at the packet's content, and what does Phoneboy's HTTP stateful inspection script do? what si the TCPDATA parameter in INSPECT used for? May you tell me?

Name something that is not an admin.s fault.

Also, if you were realy working a partner in the OPSEC alliance, how are you arguing CP? at least name one problem that has appeared in CP and wasn't foxed.

I have read that paper that you linked to, and I completely agree with Invicutus, this is BS and has nothing related to CP.

Also, in your AP you said that you have used CP for 3yrs, may I ask what do you know about NG's engine? it has completely changed from the old FW-1 one.

if you wanted to complete this post in a decent way, plz do, point-us to some CP vuln. or a real problem with CP's engine, or just ask a moderator to remove it.

Invictus (or however you spell it :)) : I'm not sharing any qualifications at all in here, I know who I am, and alot of people have agreed on my knowlegde and I think that by a simple browse of the fw1-wizards list you would see how I simplified alot of stuff.

etsh911

Quote:

---

Originally posted by mrwall


Invictus (or however you spell it :)) : I'm not sharing any qualifications at all in here, I know who I am, and alot of people have agreed on my knowlegde and I think that by a simple browse of the fw1-wizards list you would see how I simplified alot of stuff.

etsh911

---

I know....i was just being sarcastic. anyone who has been around security and has read security newsgroups for any amount of time knows that you are not full of $hit. In fact I have, and I am sure many people have learned alot from you sharing your knowledge.

I also know that your knowledge goes way beyond the realm of Checkpoint. I really think you should write a book sometime ;)

BTW...you might have known me previously as c4rp3dm. But anyway...thanks etsh911 for all the help knowledge you provide to all of us...it is much appreciated. And it is nice to have you as a member of this forum.

I do have a question for you...but I will post it in a different thread..

Hey Invictus, I just read your pvt. msg. I think your mistakening me for someone else.

Actually, I have found alot of ppl talk about it :). Someone did use my nickname <or something near to it> on irc.box.sk and claimed he was George Kurtz <wich probably is the reason why you dropped that link> if that guy is still there, would you tell me when does he drop-by? I would like to know who it is.


And thanks for your trust ;)

etsh911

Ahhh...ok....that makes much more sense now. That is probably what happened...cuz I used to read all your newsgroup posts, and then when the 'fake' etsh911 came along...things didn't seem to match up and something seemed a little strange.

But I do appreciate all 'your' help on the wizards list. You have helped me with a lot of problems. I did post another question for you in this forum...check it out and see if you can help.

Don't you hate those imposters.

Thanks,

Hey, wich name do u go by on the List? and when did I help? :)

I rule, don't I? :)

BTW, I answered your Q, check it out,

Hope I helped,
etsh911

These aren't relevant anymore?

1. One-way Connection Enforcement Bypass
2. Improper stderr Handling for RSH/REXEC
3. FTP Connection Enforcement Bypass
4. Retransmission of Encapsulated Packets
5. FWA1 Authentication Mechanism Hole
6. OPSEC Authentication Spoof
7. S/Key Password Authentication Brute Force Vulnerability
8. GetKey Buffer Overflow


And when did I say anything about OPSEC?


And in case you didn't read it in the previous posts I think CP-1 isn't as good as it could be. For instance we ran it in a couple of switches and it could barely deal with a full T-1 worth of traffic. Crashed all the time, Unloaded policies spontaneously, the only good thing Ithink it did by crashing was to crash closed instead of open.


Hey OSHA just informed me that if more than one person is going ride my a$$ then I need to install hand rails and safety straps.

What got you so pissed off? Are you an engineer for CP or what? As one of my coleagues put it "sheesh".

CP-1? what product is that? I know of FW-1 and VPN-1 but not of CP-1, maybe it is something I havent' come across, well did you just copy those off the Alerts link? those are NOT attacks that I get afraid of. CP jsut posts fixes using INSPECT and any self-respecting admin should go out and learn INSPECT befor he tries to use CP in a good way, and since I do know INSPECT I try my best to look at those config files, and by the time one of those vulns are reported I already have a fix for it even befor CP releases it's own fix.


What would make CP systems crash? I use both Nokia appliances and SPARC powered servers for my CP installs <lately I added Debian to the list> and they never crashed, plus, if it DID crash, then I think u took some illegal way, CP's list of aplpiances says the recommended speed for each box, and I have had CP on dualt T3 lines without problems at all, actually I also know of ppl that got it on really higher speeds.

About un-expected policy unloads is that was not documented anywhere, probably cuz u got policy conflicts? did someone try to mess with CP's config files? CP sometimes has to call functions defind in kerntabs.h, otherwise if your install was on a Linux other than the suggested kernels or a patched/un-offical one, like NSA's or has some weird patch, then probably it is the reason.

and BTW, yea, I am an engineer for CP <an OPSEC partner actually, not CP itself> and when you talked about un-disclosed vuln.s I thought of BS.

Yet, we do have reported issues :\, but look at the bright side, they aren't serious :)

Ciaz,
etsh911

I'm glad you cleared it all up for me. My mistake, Checkpoint FW-1 is god, your right.

I'm still using Sunscreen though, although you almost converted me.............

lol, I'm not about converting people, and convincing ppl what is right and what is wrong, I do not have anything against anybody, I just have knowlege to keep me alive :).

Just think of it, could SunScreen provide anything that CP didn't?
All those Security Servers, nice VPN solution, easy mangemnt, etc..

hehehehehe, you should turn back :-)

Enjoy!
etsh911

Then would you mind not neg'ing me for EVERY single comment I've made? It's really not necessary. Thanks in advance.