Re: Leader in firewall product

["Marcus J. Ranum" <mjr () nfr net>]

> Eh?  Gauntlet is less secure than everything mentioned so far?

Like everything else, Gauntlet had its share of flaws.

> Would you be so kind as to explain exactly why you feel this to be the
> case?  IIRC: once-upon-a-time, Gauntlet was regarded by many as being
> the *most* robust of firewall products, security-wise.

The design was conservative and (in my opinion) pretty decent. But
there were a few implementation flaws and conceptual flaws, as well.
We added proxy transparency in 3.0, and at that point I felt that
the security of the system took a big leap downward - when you've
got a firewall that's basically transparent to the end user, it's
also basically transparent to a trojan horse. I always hated that
but it was market pressure. Nobody was buying non-transparent
firewalls; nobody would, today.

There were two components of the firewall proxies that desperately
needed a code review and never got one: the http proxy and the
X-Window proxy. They did a lot of complex string-pounding and would
have been a great breeding ground of buffer overruns, etc. In
those days, things like stack guard weren't available, and I
always wanted to figure out a way to harden the processes so they
couldn't be buffer overrun'd but never had time. :( There were
a lot of places in Gauntlet that could have used considerable
shoring up, but we were always overloaded and never had time to
get back to them.

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards