Firewall Wizards mailing list archives
Re: FW-1 technical strength
From: Chris Brenton <cbrenton () sover net>
Date: Wed, 30 Dec 1998 15:52:55 -0500
"Stout, Bill" wrote:
1. It's not designed to do applications filtering, so once a session is established that looks O.K., that channel is wide open to pass any attack commands or binaries. Note that proxies can be added and custom pattern matching filtering can be added (more work) but proxies/content filtering are not part of the design, it's a session box.
Hummm. I agree FW-1 is not primarily an app proxy, but you do get a few of the major one's included (SMTP, HTTP, etc). Also, I have to disagree with the "wide open" comment as this is not true unless you enable fastpath (which is off by default). The stateful inspection (note that I did not say dynamic packet filtering) portion of the product gives you some minor "app proxy like" ability. The problem is that CP has not done a very good job of letting people know how to use their inspection code. Its a great tool once you figure out how to use it, the problem is that many people do not have the time or energy to figure out how. IMO, SI is not quite as robust as a proxy since you still get a direct connect with the target, but in some ways it may actually be more flexible.
2. It's easy to misconfigure. Most sites I visit with it are broadcasting or internally responding to external SNMP requests. Often these attempts to respond result in internal SNMP broadcast storms. Also SNMP port of the firewall itself is usually open to external 'public' (a poorly documented default value that was fixed).
I can not argue with this one. I guess my biggest gripe here is that the problem has not been made public enough. It seems about every 6 months people hear about this and it keeps getting re-invented as a new issue (I seem to remember Bill comments on this subject quite a few months ago as well ;). I think discussion about it is a good thing, it just bothers me that it is not old news to everyone by now. BTW, for those who are unfamiliar with what Bill is talking about, check out: http://www.geek-speak.net/fw1/fw1_properties.html
3. At one web service bureau, unserviced requests overwhelmed the filter tables, causing the firewall to lock up, requiring hard reboot every two to four hours.
I would need a bit more info to comment on this one. Are we talking T3+ with 1,000+ connections/sec or traffic that is more in line with the average connect speed? Using what hardware? Obviously any product that needs to inspect packets is going to roll off at some point. I guess the above would concern me more if the failure condition cause traffic to get passed unchecked. My guess is that an app proxy running on the same hardware would roll off under even less of a traffic load.
4. Some NT systems apparently had memory leaks, locked up, and required occasional reboot.
This is not a feature? I would guesstimate I have 30+ FW-1 installs running on NT out in the field. None (that I'm aware of) have memory leak problems and typically run for months without a reboot (OK, this is about 1/3 the running time of the Sun installs, but we are talking NT after all ;)
5. Poor SMTP spooling mechanism. Sometimes it gets jammed or crashes, and restarting loses incoming messages. Mail flood attacks crash FW-1. Some lost messages were important to either receipient or sender in the cases I've seen.
I agree completely except that I would add that outbound mail can be lost as well. The SMTP security server os bad voodoo. I avoid it as much as possible. Its fine for small environments (less that 50 users) but dies under heavy load.
6. Tough time doing large FTP sessions through it, FTP transfers would often die.
Humm. I've heard complaints about this but have never run into it with one of my installs (NT or Sun). Even while using NAT & passive transfers from a DMZ server.
7. It allows stealth scanning of the internal network since FW response for existing nodes differs from non-existent nodes.
I would love to hear a bit more detail on this one. I agree with the stealth scanning *if* you leave the default properties settings in tact. Your comment "since FW response for existing nodes differs from non-existent nodes", are you referring to SYNDefender? If so I'm not sure how this would matter as SYNDefender can create a positive session response for all service requests, even for services that do not actually exist. IMO the SYN relay mode is one of the best tools available for making scanning pretty useless.
8. It was going through qualification for use at U.S. government sites since it had some NSA protocol support, however FW-1 is made in Israel which is an occasional ally
<snip> Not the first time I've heard that FW-1 has been *banned* from use by the US government. I still have yet to see an active link that shows this to be true however. I also know that CP has responded to this allegation at least once before claiming it was false. Cheers all, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Re: FW-1 technical strength Chris Brenton (Jan 04)
- <Possible follow-ups>
- RE: FW-1 technical strength Stout, Bill (Jan 04)
- Re: FW-1 technical strength Chris Brenton (Jan 04)
- RE: FW-1 technical strength Stout, Bill (Jan 04)