Firewall Wizards mailing list archives
Re: FW-1 technical strength
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Mon, 21 Dec 1998 17:44:58 -0800
There are no outstanding security issues with FW-1 as of the latest sevice pack. There was a published report of a buffer overflow in one of the proxies, but the description of the service pack makes vague reference to that, implying it's fixed. It's possible that one issue may be outstanding. As with any firewall, it's quite easy to misconfigure, and leave holes. Most of the recent "advisories" make reference to that type of problem. Those as valuable for FW-1 admins, but they don't constitute classic holes in my opinion. Porbably the biggest weakness of FW-1 is that it does little or no content filtering for most protocols above layer 4. The tendency seems to be for Checkpoint to do the least amount of work to get a particular protocol to pass with address translation. Ryan I have several clients who use Checkpoint's Firewall-1. I have my own opinions about the product, but they are just that - opinions. My question to this audience is, "properly configured, what are the specific technical vulnerabilities in the FW-1 product, if any?" I ask this because many security professionals seem to be wary of, if not downright hostile to, the FW-1. Ok, so what's wrong with it? I'm not looking for unfounded rumor about satan's minions contributing code to the product, I'm looking for hard, real-world reasons why the product is good or bad. If Marcus wants, you can email me and I'll summarize back to the list.
Current thread:
- FW-1 technical strength Philip R. Moyer (Dec 18)
- <Possible follow-ups>
- Re: FW-1 technical strength Ryan Russell (Dec 22)
- Re: FW-1 technical strength Darren Reed (Dec 26)
- Re: FW-1 technical strength jgalvin (Dec 28)
- Re: FW-1 technical strength cbrenton (Dec 28)
- Re: FW-1 technical strength Kevin Steves (Dec 28)
- Re: FW-1 technical strength Darren Reed (Dec 26)
- RE: FW-1 technical strength Stout, Bill (Dec 29)