Re: FW-1 technical strength

[Chris Brenton <cbrenton () sover net>]

"Stout, Bill" wrote:
> 1.      It's not designed to do applications filtering, so once a session is
> established that looks O.K., that channel is wide open to pass any attack
> commands or binaries.  Note that proxies can be added and custom pattern
> matching filtering can be added (more work) but proxies/content filtering
> are not part of the design, it's a session box.

Hummm. I agree FW-1 is not primarily an app proxy, but you do get a few
of the major one's included (SMTP, HTTP, etc). Also, I have to disagree
with the "wide open" comment as this is not true unless you enable
fastpath (which is off by default).

The stateful inspection (note that I did not say dynamic packet
filtering) portion of the product gives you some minor "app proxy like"
ability. The problem is that CP has not done a very good job of letting
people know how to use their inspection code. Its a great tool once you
figure out how to use it, the problem is that many people do not have
the time or energy to figure out how.

IMO, SI is not quite as robust as a proxy since you still get a direct
connect with the target, but in some ways it may actually be more
flexible.

> 2.      It's easy to misconfigure.  Most sites I visit with it are
> broadcasting or internally responding to external SNMP requests.  Often
> these attempts to respond result in internal SNMP broadcast storms.  Also
> SNMP port of the firewall itself is usually open to external 'public' (a
> poorly documented default value that was fixed).

I can not argue with this one. I guess my biggest gripe here is that the
problem has not been made public enough. It seems about every 6 months
people hear about this and it keeps getting re-invented as a new issue
(I seem to remember Bill comments on this subject quite a few months ago
as well ;). 

I think discussion about it is a good thing, it just bothers me that it
is not old news to everyone by now.

BTW, for those who are unfamiliar with what Bill is talking about, check
out:
http://www.geek-speak.net/fw1/fw1_properties.html

> 3.      At one web service bureau, unserviced requests overwhelmed the
> filter tables, causing the firewall to lock up, requiring hard reboot every
> two to four hours.

I would need a bit more info to comment on this one. Are we talking T3+
with 1,000+ connections/sec or traffic that is more in line with the
average connect speed? Using what hardware? Obviously any product that
needs to inspect packets is going to roll off at some point. I guess the
above would concern me more if the failure condition cause traffic to
get passed unchecked. My guess is that an app proxy running on the same
hardware would roll off under even less of a traffic load.

> 4.      Some NT systems apparently had memory leaks, locked up, and required
> occasional reboot.

This is not a feature?
I would guesstimate I have 30+ FW-1 installs running on NT out in the
field. None (that I'm aware of) have memory leak problems and typically
run for months without a reboot (OK, this is about 1/3 the running time
of the Sun installs, but we are talking NT after all ;)

> 5.      Poor SMTP spooling mechanism.  Sometimes it gets jammed or crashes,
> and restarting loses incoming messages.  Mail  flood attacks crash FW-1.
> Some lost messages were important to either receipient or sender in the
> cases I've seen.

I agree completely except that I would add that outbound mail can be
lost as well. The SMTP security server os bad voodoo. I avoid it as much
as possible. Its fine for small environments (less that 50 users) but
dies under heavy load.

> 6.      Tough time doing large FTP sessions through it, FTP transfers would
> often die.

Humm. I've heard complaints about this but have never run into it with
one of my installs (NT or Sun). Even while using NAT & passive transfers
from a DMZ server.

> 7.      It allows stealth scanning of the internal network since FW response
> for existing nodes differs from non-existent nodes.

I would love to hear a bit more detail on this one. I agree with the
stealth scanning *if* you leave the default properties settings in tact.
Your comment 
"since FW response for existing nodes differs from non-existent nodes",
are you referring to SYNDefender? If so I'm not sure how this would
matter as SYNDefender can create a positive session response for all
service requests, even for services that do not actually exist. IMO the
SYN relay mode is one of the best tools available for making scanning
pretty useless.

> 8.      It was going through qualification for use at U.S. government sites
> since it had some NSA protocol support, however FW-1 is made in Israel which
> is an occasional ally
<snip>

Not the first time I've heard that FW-1 has been *banned* from use by
the US government. I still have yet to see an active link that shows
this to be true however. I also know that CP has responded to this
allegation at least once before claiming it was false.

Cheers all,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet