RE: Gauntlet: source code anyone ?

["McMahan, Peg" <PMcMahan () v-one com>]

My guess would be that very very few people report these types of bugs.
Working at a gauntlet reseller and having worked in the training department
here (thank gods I don't do *THAT* anymore) I got a good chance to see what
John.Q.FirewallAdmin is like... I shouldn't generalise, but the majority of
people who came for training on the unix products we sold (including
gauntlet) had never sat in front of a unix box before. Had to talk them
through commands letter by letter... Many wouldn't have any concept of what
source code was, much less understand or recognise a 'buffer overflow'.

Good firewall admins are (quite unfortunately) the exception.

Also, having been part of a support organisation, we have no records of
anyone ever asking us for product source code. In as much as I've dealt with
end-users, I've never even been asked about the 'security' of the firewall.
People assume that since it's a firewall, it's immune to attack entirely.

:-----Original Message-----
:From: Darren Reed [mailto:darrenr () reed wattle id au]
:Sent: Wednesday, March 17, 1999 4:50 PM
:To: firewall-wizards () nfr net
:Subject: Gauntlet: source code anyone ?
:
:
:
:There has been much discussion about "must have source code" by people
:who populate these lists for security products, however, in line with
:comments brought up before, there is apparently little benefit for the
:vendor or customer (except that the customer has the ability 
:to introduce
:their own bugs ;).
:
:Why do I say that ?  Well, recently I was in a position to 
:have the time
:to do a quick review of Gauntlet source code.  Just for laughs, I tried
:something stupid like "grep sprintf */*.c".  The scary part is that the
:output was rather lengthy.  Upon having a closer look at one 
:file (x-gw.c),
:it became quickly apparent that fixed buffer sizes (some of which were
:too small) were littered through the code and whilst single buffers
:could be overflowed, by some stroke of luck it doesn't appear easy to
:exploit.  To make it even worse, this was 4.1, not some early rev.
:If you use Gauntlet and have the time, setup a host with a full length
:domain name (256 characters) and try accessing each of the Gauntlet
:services using it...
:
:Getting back to the larger issue, this indicates a few of things to me:
:
:1. you can't trust firewall vendors to write good, secure, code;
:
:2. vendors don't appear to do a lot of testing, particularly 
:of boundary
:   cases (just like all good s/w engineers should);
:
:3. vendors don't appear to have a very good quality control;
:
:4. those who buy commercial firewall products aren't interested in
:   doing a code review of their vendor.
:
:Of course these are generalised points given one experience, but one
:would have though that of any firewall, Gauntlet would have been the
:most correct...
:
:Just before I finish, has anyone ever submitted a patch to TIS/NAI for
:Gauntlet to fix security holes ?  Do they reject them or simply sit
:on them ?
:
:Darren
: