Enterprise Firewalls

[deByte]

posted by EvIl eLf
A good firewall is only as good as its admin and ability to recognize attack signatures and react to them ,oh yeah bleeding network traffic to the internet would be good as well

firewall is as solid as the rules setup by its admin. balancing the vulnerability of the firewall and its ease of use, like setting up complex rules, is important. also find out other users comments on the tech support provided by the vendor.

rgds
de

[jardes]

Hello all.
Is someone use Gauntlet anymore?
any comments are wellcome.


--- I sleep well, sleep i well future?

[THEJRC]

Nice revue on Raptor IchNi... I'll have to check it out

I've had good luck with Cisco's PIX (well the classic PIX suck) but the interface is just klunky... as stated above!

Netscreen makes a good strong product for a hardware firewall as well, I've put in quite a few of em and had excellent luck with them. I like their VPN ability and the interface is almost too friendly (ok it is too friendly)

And of course for a mid sized network (not home, but not quite enterprise) a Cobalt system like the Qube II or Qube III is quite cost efficient and will most likely do, they also make great small to mid company mail and web servers... (DNS too even....) I used to have a Qube II sitting on my John at home serving as a firewall and providing DNS services (why the john... because I could!!)

I've heard mixed reviews on checkpoint, and I've never had the chance to play with it so I cant say much in that direction.

I suppose in all reality the differences in what firewall you use (so long as it offers ample configuration options) doesnt really matter as much as how you use it.

~THEJRC~

[EvIl eLf]

I have been checking out several firewall products i like the sofa box
www.s-box.com , this is a checkpoint small office product that includes the statefull inspection engine , with a built in ids sytem for $300. This box is awesome from what i see it seems to be a simpler way to filter sites add rulesets and filter traffic .The sofabox as it is called is Opsec compliant meaning a Box running checkpoint will be able to modify rulesets.
essentially s-box is a modified version of bsd with checkpoint on it .Yet another great product is trend micro's secure point which is a firewall linux os the can connect ot windows based management stations it has a built in vpn and virus wall for personal use it is free i dont have any specifics on the price it also uses staefull inspection . A good one for the home dsl /cable modem user is LRP linux router project Freesco at www.freesco.org it uses a dynamic packet filtering engine and a great web interface plus it fits on a floppy will run on a system with a 66mhz processor and 16 mb of ram and no hard rive yes no hard drive this of course is freeware.

PeAcE

[mrwall]

Originally posted by iNViCTuS
OK...please tell me a major vulnerability that has ever been discovered in a Checkpoint firewall. Big deal, a DoS here or there or maybe a malformed packet vulnerability. A firewall is more about the firewall admin than it is the type of firewall.

EVERYTHING has vulnerabilities...only the big players get scrutinized for every vulnerability that is uncovered (i.e. Microsoft, checkpoint, etc) That is why it is important to apply patches and updates. Of course an unmanaged firewall is useless to begin with.

I have been working with Checkpoint firewalls for a long time, so believe me, I have done my homework.

And as far as a Unix firewall is concerned, you cannot easily manage multiple firewalls within a single interface like you can with Checkpoint or Cisco. So that is what I meant by being afraid of them. Many organizations do not have the in-house talent to manage IPF, IPTABLES, IPCHAINS, etc. We know it is not that difficult, but many organizations still do not trust these types of applications because they are not highly publicized.

Hell Yea, Since when was a CP so bad DeathKorp?

I have worked for CP since it had version 3.0 and until this very-day, I have NOT seen anything reported as a CP vuln. that wasn't actually gay administration.

Let me name the three major problems found in CP,

1. ACK DoS
2. w32 GUI buffer overflow
3. RDP VPN issue.

Let's start one by one

1. The Ack Dos,

Have you ever touched a CP box? as in EVER in your life did so? well if you have, you'd probably know that CP uses a language for it's FW called INSPECT, even befor CP released its fix or befor I read Lance Spitzner's FW-1 state paper, I knew that CP doesn't maintain state by TCP flags, and that ACK packets could pass and get compared to the rulebase. So, simply I didn't sit beside my FW and start crying, I wrote a simple INSPECT script that checks the packets flag, records it to a value in the conenctions table and compares the next packets to it, the idea is simple. SYN =1, SYN/ACK = 2, ACK = 3.

Here is the logic

if (syn) {record <conn;1> in connections, accept};
if (syn, ack) {set sr1 connections[conn],
if (sr1 != 1) {vanish} or record <conn;2> in connections, accept};
if (ack) {set sr1 connections[conn],
if (sr1 !=2) {vanish} or record <conn> in connections, accept};

Simple, eih?

2. Did you read the advisory? It says that the vuln, just stops the FW from loading the correct policy, do you know what does that mean? it will default to the defaultfilter.pf that comes with it. So, why not smart-ass yourself and just change defaultfilter.pf to some good policy that you could consider as a back-up plan?

3. The RDP VPN issue, well, from CP's info they have ignored fixing this problem for quite a while, reason?, cuz it's only in their FWZ encapsulation scheme and it just uses 46-bit keys <heh, since when was 46-bits any secure for a VPN network?> and with the current growth of Cryptographic standards like AES and 3DES FWZ is useless unless in small situations like SecuRemote wich now has an IKE option.


In other words, if your saying CP is bullshit, I think you REALLY have to go and learn this befor you talk about it.


Sincerly,
someone that's ****ed-up from ppl that don't wann ahire an under-15 yr. old kid.
etsh911

[KorpDeath]

Here you go. I'm glad to see that none of you can use google to search for vulnerabilities in state full inspection engines, so here's one. If you want to find out more specific information ask someone from the NSA to send you their test results. Yeah right.

http://cutter.com/itgroup/reports/deploying.html

Read this and then go do your homework.

[KorpDeath]

So where are you now?


Installing a new firewall?

hehehehe........... j/k

[iNViCTuS]

I read this article, and nowhere does it state specific Checkpoint vulnerabilities!! Plus it is written by a consultant who is full of BS and is trying to scare people into using their services.

The vulnerabilities that mrwall stated are the main vulnerabilities found in Checkpoint's firewall. Here is a link to all of them:

http://www.checkpoint.com/techsupport/alerts/

If you read these, nothing serious is due to a weakness in the Checkpoint, rather the underlying OS or poor administration. Everything mrwall said is exactly right.

but anyway...mrwall (etsh911) why don't you list your qualifications if possible so people don't think you are full of $hit.

http://foundstone.com/company/george_kurtz.html ......lol

BTW...KorpDeath...I am giving you some antipoints because I like the fact that we can have a good old fashioned argument in a diplomatic manner.

[KorpDeath]

Well that's cool.


I'm sorry I can't get more specific about the vulnerabilties, you see, the company I work for has a partnership w/ Checkpoint, so my hands are tied, so to speak.

I could refer you to many more articles but I'm sure you guys know how to find them.

And the last people I would believe would be the company that makees the firewall(checkpoint), they are infamous for not revealing a problem until after they attempt to fix it.

You really need to find a no-biased look at it.

[iNViCTuS]

I think this brings us back to something we all know and have said a thousand times:

It's not so much the firewall as it is the person who configures it. Vulnerabilities can be found in anything. Checkpoint gets more recognition unfortunately because they are so popular in this space. My company also is partnered with checkpoint, and I am sure mrwall's is too. So I know how you feel. But when it comes down to the bottom line. I would feel comfortable deploying Checkpoint in just about any environment, and I sure you would probably agree.

Thanks for the arguments though...it was fun. I am waiting for another topic that we can tear apart now....