Firewall Wizards mailing list archives
RE: FW-1 technical strength
From: "Stout, Bill" <StoutB () pios com>
Date: Mon, 28 Dec 1998 14:16:56 -0500
I have a few bones about it. I believe most are addressable by tinkering with it more. 1. It's not designed to do applications filtering, so once a session is established that looks O.K., that channel is wide open to pass any attack commands or binaries. Note that proxies can be added and custom pattern matching filtering can be added (more work) but proxies/content filtering are not part of the design, it's a session box. 2. It's easy to misconfigure. Most sites I visit with it are broadcasting or internally responding to external SNMP requests. Often these attempts to respond result in internal SNMP broadcast storms. Also SNMP port of the firewall itself is usually open to external 'public' (a poorly documented default value that was fixed). 3. At one web service bureau, unserviced requests overwhelmed the filter tables, causing the firewall to lock up, requiring hard reboot every two to four hours. 4. Some NT systems apparently had memory leaks, locked up, and required occasional reboot. 5. Poor SMTP spooling mechanism. Sometimes it gets jammed or crashes, and restarting loses incoming messages. Mail flood attacks crash FW-1. Some lost messages were important to either receipient or sender in the cases I've seen. 6. Tough time doing large FTP sessions through it, FTP transfers would often die. 7. It allows stealth scanning of the internal network since FW response for existing nodes differs from non-existent nodes. 8. It was going through qualification for use at U.S. government sites since it had some NSA protocol support, however FW-1 is made in Israel which is an occasional ally, but is not a 'trustable entity' according to U.S. Foreign Ownership, Control or Influence (F.O.C.I.) rules. This was mainly a political/security issue, above the heads and out of the hands and realm of most corporate security folk. A thorough review of FW-1 was posted at the NSA X31 group/MITRE site; http://mitten.ie.org/, unfortunately shortly after the FW-1 report was released, the entire site disappeared. Bill Stout __________ Y2K will be big story of '99: 12/11/98 - U.N. suddenly fears Y2K domino effect http://www.un.org/News/Press/docs/1998/19981211.pi1106.html 12/24/98 - Federal government plans for Y2K crisis http://detnews.com/1998/technology/9812/24/12240168.htm
Current thread:
- FW-1 technical strength Philip R. Moyer (Dec 18)
- <Possible follow-ups>
- Re: FW-1 technical strength Ryan Russell (Dec 22)
- Re: FW-1 technical strength Darren Reed (Dec 26)
- Re: FW-1 technical strength jgalvin (Dec 28)
- Re: FW-1 technical strength cbrenton (Dec 28)
- Re: FW-1 technical strength Kevin Steves (Dec 28)
- Re: FW-1 technical strength Darren Reed (Dec 26)
- RE: FW-1 technical strength Stout, Bill (Dec 29)