Re: FW-1 technical strength

["Ryan Russell" <Ryan.Russell () sybase com>]

There are no outstanding security issues with FW-1
as of the latest sevice pack.  There was a published
report of a buffer overflow in one of the proxies, but
the description of the service pack makes vague
reference to that, implying it's fixed.  It's possible that
one issue may be outstanding.

As with any firewall, it's quite easy to misconfigure, and
leave holes.  Most of the recent "advisories" make
reference to that type of problem.  Those as valuable
for FW-1 admins, but they don't constitute classic
holes in my opinion.

Porbably the biggest weakness of FW-1 is that it does
little or no content filtering for most protocols above
layer 4.  The tendency seems to be for Checkpoint to do the
least amount of work to get a particular protocol to pass
with address translation.

                         Ryan







I have several clients who use Checkpoint's Firewall-1.  I have my
own opinions about the product, but they are just that - opinions.
My question to this audience is, "properly configured, what are the
specific technical vulnerabilities in the FW-1 product, if any?"  I
ask this because many security professionals seem to be wary of, if
not downright hostile to, the FW-1.  Ok, so what's wrong with it?

I'm not looking for unfounded rumor about satan's minions contributing
code to the product, I'm looking for hard, real-world reasons why the
product is good or bad.

If Marcus wants, you can email me and I'll summarize back to the list.