Firewall Wizards mailing list archives
Re: Apology - not necessary
From: "Ryan Russell" <ryanr () sybase com>
Date: Sat, 26 Sep 1998 11:14:12 -0700
For the record, I'll reiterate my $3,000 challenge for a disassembled proof of a trapdoor. I've appended the original posting below.
It's sometimes difficult to prove "trap door" from "bug". What's your metric for proof? Can it be non-disassembled evidence (packets, rules, sniffer output), or is a direct comparison in the code the only form of proof you'll accept, and are there any version limits?
The same thing occured to me. It would be really hard to distinguish bug or bad advice from Checkpoint from an intentional hole. For example, in the Checkpoint manuals and on-line help, it says that "Allow control connections" must be checked on to be able to remotely manage your FW-1. This advice turns out to be not only wrong, but leaves your firewall open to certain types of attack. It's not neccessarily instant root, but constitutes a good-size hole. Checkpoint has issued instructions on how to work around it. Personally, I believe this constitutes stupidity rather than maliciousness. As for the rest of this thread... There are plenty of other reasons for government agencies to not use FW-1 other than unsubstantianted rumor based on country of origin. Paul gave a nice summary list of some of them. I can say that because my company doesn't sell firewalls, and I'm a current FW-1 user. My only vested interest is in knowing how to configure FW-1 properly and knowing how secure it is or isn't. Ryan
Current thread:
- Re: Apology - not necessary Ryan Russell (Sep 29)