Re: Re: Firewalls breaking stuff: [Was re: fwtk]

["Charles W. Swiger" <chuck () codefab com>]

On Monday, July 22, 2002, at 02:19  PM, Paul Robertson wrote:
> On Mon, 22 Jul 2002, Charles W. Swiger wrote:
> > Let's say the SSL device is internal: on a PCI
> > card, or is connected via the SCSI bus.  Even if the device is 
> > vulnerable,
> > how is an attacker going to get to it?
>
> It doesn't function well as an accelerator if it doesn't accept HTTPS
> connections.

That's not correct.

> > [ Short of compromising and going through the HTTPS server machine, that
> > is. ]
>
> It *is* the HTTPS server, that's the idea{NPI].

The machine the SSL accelerator is connected to would be running HTTPS, 
but an SSL accelerator isn't an HTTPS server.  A PCI card or a dongle on 
the SCSI chain doesn't have a network interface, and would not be 
listening on port 443/tcp even if it could speak HTTPS.

> > vulnerable to compromise than any other network appliance.  For instance,
> > has anyone else had to update the firmware on their network switches for
> > the SNMP vulerability?
>
> Only those who turn that feature on and rely on it for operations.

And those who turn the feature on but don't rely on it.  And those using 
switches shipped with SNMP enabled by the vendor's default who haven't 
turned it off.  And those not using SNMP now but want to close a potential 
hole if they (or someone else) enables the feature later.

[ The last case most closely resembles my situation, but I'm paranoid 
enough to filter 162 and 163 anyway. ]

> > > - And you responded that we should get EVEN MORE COMPLEX by adding
> > >         mystical unauditable devices to the configuration because...?
> > >         it's better than just implementing a subset of SMTP?
> >
> > Are the mystical unauditable devices sold by some security vendors 
> > better?
>
> Nothing is unauditable- it _may_ be that you may or may not have the
> opportunity/skills/time to perform such an audit, but that doesn't make it
> unauditable

Marcus claimed the SSL crypto-accelerator box was "mystical" and 
"unauditable" in the part quoted above, but you've claimed that "nothing 
is unauditable".  Regardless of which one of you is correct, my point 
remains that a box labelled "Cryptoswift" is not inherently more or less 
secure than a box labelled "Cisco" (or Nokia, or Lucent, etc).

If you can audit a Cisco VPN router, you can audit a Cryptoswift SSL box.

If you can't audit either device, then claims about relative security 
devolve into opinions.  I'd prefer to stick to facts, insofar as we can 
find and agree upon them.

-Chuck

       Chuck Swiger | chuck () codefab com | All your packets are belong to 
us.
       
-------------+-------------------+-----------------------------------
       "The human race's favorite method for being in control of the facts
        is to ignore them."  -Celia Green

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards