Re: Re: Firewalls breaking stuff: [Was re: fwtk]

[Paul Robertson <proberts () patriot net>]

On Mon, 22 Jul 2002, Charles W. Swiger wrote:

> That's not correct.

Sorry, I was thinking of the accelerator/decryptors which started the 
thread- you're right- some products don't handle the SSL stream, but that 
doesn't make them bug-free, and certainly doesn't mean that tainted data 
won't be passed through the server to them.

> > > [ Short of compromising and going through the HTTPS server machine, that
> > > is. ]
> >
> > It *is* the HTTPS server, that's the idea{NPI].
>
> The machine the SSL accelerator is connected to would be running HTTPS, 
> but an SSL accelerator isn't an HTTPS server.  A PCI card or a dongle on 
> the SCSI chain doesn't have a network interface, and would not be 
> listening on port 443/tcp even if it could speak HTTPS.

That doesn't mean that it doesn't have say the ANS.1 bugs that we've seen 
in LDAP and SNMP.  That doesn't mean they're not exploitable via that 
vector either.

> > Only those who turn that feature on and rely on it for operations.
>
> And those who turn the feature on but don't rely on it.  And those using 
> switches shipped with SNMP enabled by the vendor's default who haven't 
> turned it off.  And those not using SNMP now but want to close a potential 
> hole if they (or someone else) enables the feature later.

The point would be what?  That people using featurful products need to 
keep up to date?  No arguments here.

> Marcus claimed the SSL crypto-accelerator box was "mystical" and 
> "unauditable" in the part quoted above, but you've claimed that "nothing 
> is unauditable".  Regardless of which one of you is correct, my point 
> remains that a box labelled "Cryptoswift" is not inherently more or less 
> secure than a box labelled "Cisco" (or Nokia, or Lucent, etc).

That's not the argument though- the argument is that adding a complex 
protocol (or complex bunch of calls) adds a potential for more attacks 
against the device.  It may be more or less secure- part of the reason 
that I'm skeptical about it is that I've read all the Lab reports on our 
site for VPN devices, talked to a lot of vendors in a former life 
(including vendors with products on the EPL) and frankly I'm not all that 
impressed with the level of security put in most encryption products.  I'd 
rather go with something where I know things like IVs have been tested than 
something where I don't know that at all- either I have to test it, or I 
have to trust someone else to test it.  In either case it gives me an 
advantage over something that I have no testing information on.  What if 
your card starts with the same IV every time?  

> If you can audit a Cisco VPN router, you can audit a Cryptoswift SSL box.

Maybe, maybe not- it depends on the tools and functions- which is why 
what's evaluated and how is important when depending on evaluations[1].

Paul
[1] Yes, the royal we certainly can, but that market seems to not be all 
that interested.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards