Enterprise Firewalls

[Vorlin]

KorpDeath you seem to have knowldege on this area but one problem you seem to be stuck on vunrabilites everything has vunrabilites so just cause it has a vunrability is no reason to stop using it that would be like not eating some canned food cause the tine was dentead now thats just silly ins it so well thats my 2 cencts

Well, in this case, it's not necessarily a vulnerability but when you have multi-homed DMZs, you have more than one point of entry. This in turn is more of a strain when sifting through connection logs, system logs, etc. At least, that's my interpretation.

[KorpDeath]

Originally posted here by Vorlin


Well, in this case, it's not necessarily a vulnerability but when you have multi-homed DMZs, you have more than one point of entry. This in turn is more of a strain when sifting through connection logs, system logs, etc. At least, that's my interpretation.

Thanks for clearing that up, Vorlin.

RiOtEr- What should I be pointing if not the vulnerabilities? My mistake, this site is about under water basket weaving. My mistake, I'll try to keep on track next time.

[gold eagle]

Under water basket weaving?

Man that's choice. KorpDeath you're good today. Of course, you are right about pointing out this and Vorlin nicely spoke about that.

In general you have to watch multihomed hosts as the issues grow with each network they are on.

[KorpDeath]

And putting a box in your DMZ that has a direct connection to your LAN is a bad bad bad idea. If that box is compromised then the soft center of your network is exposed to a harsh reality.

[chsh]

Originally posted here by iNViCTuS
I think this brings us back to something we all know and have said a thousand times:

It's not so much the firewall as it is the person who configures it. Vulnerabilities can be found in anything. Checkpoint gets more recognition unfortunately because they are so popular in this space. My company also is partnered with checkpoint, and I am sure mrwall's is too. So I know how you feel. But when it comes down to the bottom line. I would feel comfortable deploying Checkpoint in just about any environment, and I sure you would probably agree.

To a certain extent the admin is responsible, but there is a point where the software itself has to take some of the blame. If the company has written a piece of software that is rife with overflowable buffers, then IMO the admin is not 100% to blame, except for maybe deploying the software. In this case, with firewalls, I did a quick search at google for checkpoint firewall-1 vulnerabilities and it came up with a few hits, among them I grabbed these:

http://ciac.llnl.gov/ciac/bulletins/k-073.shtml - Discusses several vulnerabilities in CPFW-1
http://www.securityfocus.com/bid/1890 - CPFW-1 spits out valid usernames, aiding in a bruteforce of passwords.
http://www.geocrawler.com/archives/3...0/7/0/4121477/ More discussion on the CPFW-1 vulnerabilities.

I have never used CPFW-1, so I don't know the specifics of it, but from reading over the vulnerabilities, it seems that the software itself is at fault about half the time. That's more than unacceptable in my view. A firewall should come configured protected against these things out of the box. Allowing anyone from any IP address to try and remote admin this firewall doesn't seem like a secure policy to me.

Granted, that could be fixed with some configuration, is not the point behind a firewall to secure a network. How secure is it if the out-of-the-box configuration is totally open?

[gold eagle]

valid points chsh. I would like to point out that almost all off the shelf software ships currently with many things "open". Maybe they need to ship it with things closed and leave it to the admin to open it up.

[KorpDeath]

Sometimes it has to be open just to get it configured, then after you configure it it's your responsibility to close all that is open. There should, of course, be documentation to tell you what exactly is open but nonetheless....it's up to the admin to lock up after he leaves for the night (so to speak)........

[iNViCTuS]

Still can't say I agree with you. Of course the software vendor should not release software with vulnerabilities, BUT no matter what you do, vulnerabilities can always be discovered. It is at this point where the security admin needs to take some responsibility and do it himself. After all that is what we are getting paid the big bucks for right? If no vulnerabilities existed, security admins no loger have jobs. NOTHING IS PERFECT!!!

The problem is that once something happens, it is very easy to point the finger at the next guy, when the fact is if you weren't so damn lazy in the first place, you probably wouldn't have a problem. Are we all going to stop using Microsoft because it is so insecure...of course not.

And...NONE of the Checkpoint vulnerabilities were ever anything serious, and those who know Checkpoint will agree with me on that.

[mrwall]

OK, now is this thread ever gonna end? I'm really sick of hearing **** from someone un-educated ppl <not you invictus >.

Chsh : if yopu haven't ever used CP why are you arguing it? what sort of basis do you have to argue this on?

The default policies are just used when there is no policy installed on the FW module. Even those could be changed as mentioned earlier or as in defaultfilter.pf in phoneboy's book (Appendix F).

Also, if your using the GUI to create your rulebase, #include fwui_trail.def is added to the end, the file has on sole purpose "DROP whatever reaches it" ius that open by default? CP's only open ports are all stated in the Implied_Rules and NOWHERE ELSE.

That's it for Chsh, plus, jerald josephs is moderator on the fw1-wiz list, and Regional manager of nokia telecomunications in da east cost of the USA. The guys experience is only limited to his appliance <Nokia's IP series> and VPNs. He has mentioned no vulnerabilities in his post. the problems demonstrated at BH could be found on Phoneboy's site under Docs. Yet, as you see those problems are all mistakes by the ADMINs and not cause of CP.


Also, the vuln, u named for brute-forcing FW-1's userdatabase was also reported on VPN-1, it just returns "wrong pwd" for valid accounts and "unknown user" for invfalid accounts.

BTW, whom said that it is manageable from everywhere as you <or whomever did> claim? CP doesn't allow administration except from the specified mangement console and even the mangement console only allows the gui-clients to connect wich are also specified.

How on earth would CP be a best seller if evernone could jkust find a problem with it? I have came accross a numbner of problems but they were all just Admin's-fault no more.

That's it for me on the boards, I'm not here until I find something else really interesting.

Invictus : I completely agree with you <and you know that I know CP from phone's list > and about Focmaester's Q, I agree with you on the un-configured point, but CP does accept the con.. cause VRPP is used in HA and when the FW is *not* runing in HA it just thinks there is NO HOST to sync with, not that it isn't in HA mode. The only way to correct this and have all packets with src_ip and dst_ip of vrrp.mcast.net <224.0.0.0> denied ios to remove the "sync" flag from your tables. Also, it was me who asked Foc to post that Q

Thanks,
Invictus : Enjoy your life,
Others : come-up with something important and really good befor you think of replying.

etsh911

[chsh]

Originally posted here by mrwall
OK, now is this thread ever gonna end? I'm really sick of hearing **** from someone un-educated ppl <not you invictus >.

Chsh : if yopu haven't ever used CP why are you arguing it? what sort of basis do you have to argue this on?

Well, my knowledge of good software security practices for starters...

The default policies are just used when there is no policy installed on the FW module. Even those could be changed as mentioned earlier or as in defaultfilter.pf in phoneboy's book (Appendix F).

Also, if your using the GUI to create your rulebase, #include fwui_trail.def is added to the end, the file has on sole purpose "DROP whatever reaches it" ius that open by default? CP's only open ports are all stated in the Implied_Rules and NOWHERE ELSE.

That's it for Chsh, plus, jerald josephs is moderator on the fw1-wiz list, and Regional manager of nokia telecomunications in da east cost of the USA. The guys experience is only limited to his appliance <Nokia's IP series> and VPNs. He has mentioned no vulnerabilities in his post. the problems demonstrated at BH could be found on Phoneboy's site under Docs. Yet, as you see those problems are all mistakes by the ADMINs and not cause of CP.

Etsh, none of what I was saying was laying blame solely on CPFW-1. As I said, the caveat to my post was that I haven't had any experience directly with FW-1. I based my comments on my understanding of what was written at those sites, and my understanding of how secure software works.
What I'd tried to put forth was he concept that the Admin is not always 100% to blame. It can vary from software co. to software co. Look at Microsoft. I'm certain there have been admins bitten by various bugs because of faulty or nonexistant patches to IIS, and not because they haven't tried patching their systems. It happens, face it.

Also, the vuln, u named for brute-forcing FW-1's userdatabase was also reported on VPN-1, it just returns "wrong pwd" for valid accounts and "unknown user" for invfalid accounts.

Correct. Your system is less secure from the standpoint that now that someone has a valid user account and they can then go about bruteforcing that user account. This kind of disclosure only helps someone attempting to break into a system.

BTW, whom said that it is manageable from everywhere as you <or whomever did> claim? CP doesn't allow administration except from the specified mangement console and even the mangement console only allows the gui-clients to connect wich are also specified.

http://www.safermag.com/html/safer21/alerts/04.html - On solaris CPFW-1 rlogin listens on all available NICs.

By the by, I wasn't trying to come off as trashing something I don't know much about, and I apologize if I did. I was merely pointing out that it's all fine and dandy to blame then admin when it is the admin's fault, but some of this stuff is IN SOFTWARE. I happen to agree with gold eagle that it makes the admin's life a little more difficult if they've got to go through and disable a bunch of extra crap. IMO, servers and firewalls should come with everything OFF by default (RedHat's learning this lesson, as I've noticed that certain things have to be enabled unless you specify them to load at boot during installation), and then the admin can do his/her job and configure it the way it should be configured.

I completely agree that one should blame the admin when it's the admin's fault, but if it's a software problem, then lay the blame where it should: on the software. Implementing work-arounds is not a good fix for things. It should be temporary until the software can be updated to remove any problems.

How on earth would CP be a best seller if evernone could jkust find a problem with it? I have came accross a numbner of problems but they were all just Admin's-fault no more.

Hahahahaha. You think problems have anything to do with it? You're seriously deluded there etsh! Look at IIS. It's got bucketloads of problems, but a LOT of people still use it because it's simpler to configure than Apache. You personally may not be the kind of guy who will succumb to these kinds of problems, but by having stuff accessible, they complete neophyte firewall guy will be the one hurt by this.
Whether you like it or not, if it's easy enough to use, companies will buy it and will hire an idiot to run it. "It can't be complicated or hard because there's a GUI" seems to be how a lot of people think. They're flat out wrong, and it's damn time companies out there started realising this and implemented better default configurations.

Others : come-up with something important and really good befor you think of replying.

Your idea of 'really important and good' is obviously different from mine, so you'll have to let me know.