Firewall Wizards mailing list archives
Re: Facts, not Fiction
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 07 Nov 1997 23:46:52 -0500
Has any of the _current_ firewall-implementations of the major vendors (TIS, Checkpoint, Raptor) on any Platform been cracked (compromised or broken into)?
Yes.:) But in every case that I've heard of, it's usually found by insiders first, or outside business partners with deep internal access to the software. There have been flaws of one sort or another in many of the top firewall products, and generally they are quietly fixed pretty quickly.
That is: Even though the setup was flawless, is there a known DOS-Attack against these systems, can they be manipulated or do they pass data they are not supposed to pass etc?
Denial of service attacks have been known to work on several of the proxy type firewalls (which usually rely more on the vendor's provided IP stack) -- but just about *ANYTHING* seems to be vulnerable to some sort of denial of service attack. The more interesting problems are the ones where the firewall may start to pass data it's not supposed to -- those are less common bugs but they have happened as well. The vast bulk of firewall breakins has to do with misconfigurations ranging from installing them backwards (!) to more subtle forms of the incoming traffic problem. The bulk of compromises are because of too much traffic being allowed back and forth (usually in) to servers that are insecure. In general these break down into classes of incoming traffic problem or transitive trust. There are no statistics I can point at that enumerate what's been happening; CSI has some numbers I believe they are about to publish, but they're based on blind surveys and perforce are not detailed. Before you ask: no, I will not be forthcoming about details. The vendors in question fixed things right away but some of their existing customers may be running older versions; describing problems would be doing them a huge disservice. Since I'm not going to go into details, I won't be insulted if you choose to believe I've got no idea what I'm talking about. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
- Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Bennett Todd (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 14)
- Re: Facts, not Fiction chuck yerkes (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 15)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Andreas Siegert (Nov 24)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)