Firewall Wizards mailing list archives
Re: Re: Firewalls breaking stuff: [Was re: fwtk]
From: "Charles W. Swiger" <chuck () codefab com>
Date: Mon, 22 Jul 2002 15:06:39 -0400
On Monday, July 22, 2002, at 02:19 PM, Paul Robertson wrote:
On Mon, 22 Jul 2002, Charles W. Swiger wrote:Let's say the SSL device is internal: on a PCIcard, or is connected via the SCSI bus. Even if the device is vulnerable,how is an attacker going to get to it?It doesn't function well as an accelerator if it doesn't accept HTTPS connections.
That's not correct.
[ Short of compromising and going through the HTTPS server machine, that is. ]It *is* the HTTPS server, that's the idea{NPI].
The machine the SSL accelerator is connected to would be running HTTPS, but an SSL accelerator isn't an HTTPS server. A PCI card or a dongle on the SCSI chain doesn't have a network interface, and would not be listening on port 443/tcp even if it could speak HTTPS.
vulnerable to compromise than any other network appliance. For instance, has anyone else had to update the firmware on their network switches for the SNMP vulerability?Only those who turn that feature on and rely on it for operations.
And those who turn the feature on but don't rely on it. And those using switches shipped with SNMP enabled by the vendor's default who haven't turned it off. And those not using SNMP now but want to close a potential hole if they (or someone else) enables the feature later.
[ The last case most closely resembles my situation, but I'm paranoid enough to filter 162 and 163 anyway. ]
- And you responded that we should get EVEN MORE COMPLEX by adding mystical unauditable devices to the configuration because...? it's better than just implementing a subset of SMTP?Are the mystical unauditable devices sold by some security vendors better?Nothing is unauditable- it _may_ be that you may or may not have the opportunity/skills/time to perform such an audit, but that doesn't make it unauditable
Marcus claimed the SSL crypto-accelerator box was "mystical" and "unauditable" in the part quoted above, but you've claimed that "nothing is unauditable". Regardless of which one of you is correct, my point remains that a box labelled "Cryptoswift" is not inherently more or less secure than a box labelled "Cisco" (or Nokia, or Lucent, etc).
If you can audit a Cisco VPN router, you can audit a Cryptoswift SSL box.If you can't audit either device, then claims about relative security devolve into opinions. I'd prefer to stick to facts, insofar as we can find and agree upon them.
-ChuckChuck Swiger | chuck () codefab com | All your packets are belong to us. -------------+-------------------+-----------------------------------
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FWTK and smap/smapd, (continued)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Dominik Miklaszewski (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles Swiger (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: FWTK and smap/smapd David Lang (Jul 16)
- Re: FWTK and smap/smapd Dominik Miklaszewski (Jul 16)
- Re: FWTK and smap/smapd Paul Robertson (Jul 16)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 16)
- Re: FWTK and smap/smapd Frederick M Avolio (Jul 17)