Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Question about CyberGuard

From: David Bonn <David.Bonn () watchguard com>
Date: Wed, 24 Dec 1997 11:18:17 -0800
Gary == "Gary Crumrine" <gcrum () us-state gov> writes:


Gary> Have you used the watchguard product???  It has several holes in it..and
Gary> crashes repeatedly under loads of over 4 users on concurrently...  Not a
Gary> good thing... Company admits it is a bug...

First off, I'm running behind a WG with 17 users currently logged in
(not bad for xmas eve morning).  I'm not saying there aren't bugs in
WG (or any firewall), and I'm not saying that we haven't had crashes
in WG, but I don't know of any problem where a load of 4 users crashes
WG.  A check of support call logs reveals that no one has reported
such a problem to our tech support people.  As best as I can check on
a holiday morning nobody who works here has reported or submitted such
a bug.

I do know that we have more than a few customers with several thousand
users behind a red box.

For obvious reasons, I'd like to hear about the holes in WG.  Do you
have specific knowledge of such holes?

All software products have bugs, and security products have
security-related bugs.  Though we have tested out pretty well on
security tests in various environments (of course, that and a thousand
bucks will buy you a copy of Windows NT server).

Given our design approach I believe that WG is pretty darned secure.
We run in an extremely stripped-down environment.  No shells, no
network daemons, no way for other user processes to run.  The
out-of-the-box configuration (after running our wizard) is quite
secure (only proxied SMTP and DNS are allowed to the internal network,
HTTP and FTP may be allowed to a host on a DMZ network).  Unless a
user edits the configuration directly with a text editor or allows a
busted network service (rsh, rlogin, SNMP, the list is really endless)
through the red box, it should stay that way.

It really is a "stance" issue.  Most NT or Unix-based firewalls
require that the installer do various nontrivial things (install OS
patches, alter system configuration files, et al) to get a secure
configuration.  WG systems require that the installer do nontrivial
things to make the configuration insecure.

David Bonn
VP Engineering, Watchguard Technologies, Inc.
david.bonn () watchguard com
Previous By Date Next
Previous By Thread Next

Current thread: