Re: Firewall comparison

[Steve George <stevege () i-way net uk>]

Hi John,

This sounds pretty interesting, haven't heard of this penetration
before.

If you could provide more information on how this is done and exactly
how it would effect a network that would be fantastic.  There doesn't
seem to be anything on your web pages: if information about a specific
FW is commercially sensitive just some information on how to implement
the attack would be useful.  Perhaps you could put out one report of
where you have penetrated a FW, redacting any company info of course, it
would be very useful for everyone to know how such an intusion is done -
and I'm sure would bring you clients from the lurkers on this list ;-)

Best wishes,


Steve

> John McDonald wrote:
>
> The only problem with the firewalls you've mentioned....They cannot detect fragmented packet UDP storms..which is the 
> very first penetration test we attempt to penetrate the firewalls of very recognizable companies.
>
> These firewalls need to be configured from scratch and those who are very intent on keeping their secret information 
> secret will rely on more robust firewalls that are incredibly more secure. We have run penetration test on every 
> firewall imaginable over the course of the last five years. Our analysis has lead us to Firewall-1 being the most 
> secure firewall, when properly configured, on a Unix platform. We have been able to easily penetrate almost every 
> firewall in under 24 hours, most in under 20 minutes. Generally due to misconfiguration.
>
> Please don not rely on home grown firewalls in a commercial organization unless you posses *extensive* knowledge of 
> security and routing. Otherwise, you may need to look for another job, because being hacked is NOT fun and is NOT and 
> option for repeatable companies.
>
> John D. McDonald
>
> Phone: 510.713.8880 ext. 306
> Fax:      510.713.3456
> E-mail: JohnM () NetworkGuys com
> Web:    www.NetworkGuys.com
>
> Secure Enterprise Connectivity
> Managed Security        Managed Firewall
> Anti-Virus-Vandal       Firewalls
> Security AuditsVPN
> Digital Certificates    Security Systems
> 24x7 Network Monitoring/Hacker intrusion
>
>           -----Original Message-----
>           From:   Bennett Todd [mailto:bet () newritz mordor net]
>           Sent:   Friday, February 26, 1999 9:44 AM
>           To:     Radovan Semancik
>           Cc:     ark () eltex ru; firewall-wizards () nfr net
>           Subject:        Re: Firewall comparison
>
>           eSafe Protect Gateway (tm) has scanned this mail for viruses, vandals and
>           suspicious attachments and has found it to be CLEAN.
>           1999-02-25-13:29:00 Radovan Semancik:
>           > > What info exactly are you interested in? Security? Pereformance? Design and
>           > > technology issues? Implementation features and bugs?
>           >
>           > Design and technology. That's the thing that changes very slowly and has
>           > a major influence on overall security and performance.
>
>           I've gotta agree on that.
>
>           These days, the design and technology that seems to me to make the best
>           firewalls for many, perhaps most settings, are a good well-supported Open
>           Source Unix-like OS like Linux or one of the free BSDs, together with a
>           suitable mix of proxies for your needs (e.g. TIS fwtk, smtpd, plugdaemon,
>           rinetd, qmail, squid), all nicely reinforced with some nice packet filtering
>           like ipfw or ipfilter. The technology here isn't a big step from the oldest
>           firewalls, mostly just adding the packet filtering reinforcement, but it's
>           still the best. Packet filtering firewalls like the FW1 and the Pix are nice
>           as somewhat sturdier replacements for screening routers, but for serious
>           protection I'd rather have data streams getting proxied at the top of a nice
>           solid IP stack and regenerated as nice shiny new packets, rather than having
>           dirty packets from the outside passed right through by a filter.
>
>           -Bennett