Firewall Wizards mailing list archives
RE: Firewall comparison
From: ark () eltex ru
Date: Tue, 2 Mar 1999 13:26:43 +0300
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, John McDonald <Johnm () Networkguys com> said :
The only problem with the firewalls you've mentioned....They cannot detect fragmented packet UDP storms..which is the very first penetration test we attempt to penetrate the firewalls of very recognizable companies.
That's not true. IPFilter on BSD systems handles and detects any fragmentation problems pretty well. Any application gateway is _not_ vulnerable to any kind of IP-based attack unless the host system IP stack is. The detection problem relies on things other than AG although. But who said firewall _must_ be IDS itself? Could be completely different things..
These firewalls need to be configured from scratch and those who are very intent on keeping their secret information secret will rely on more robust firewalls that are incredibly more secure. We have run penetration test on every firewall imaginable over the course of the last five years. Our analysis has lead us to Firewall-1 being the most secure firewall, when properly configured, on a Unix platform.
Sounds funny. AFAIR it was _Firewall-1_ that suffered various kinds of fragmentation problems due to technology used there and implementation problems.
We have been able to easily penetrate almost every firewall in under 24 hours, most in under 20 minutes. Generally due to misconfiguration.
Hell, i want to have a look. Could you please describe a couple of cases and technique involved? (something really interesting, hacking PIXen with bidirectional NAT and misconfigured filters is not..)
Please don not rely on home grown firewalls in a commercial organization unless you posses *extensive* knowledge of security and routing.
Routing? Why routing? Routing is router's business, firewall can just have all routing protocols disabled and use pure static.
Otherwise, you may need to look for another job, because being hacked is NOT fun and is NOT and option for repeatable companies.
P.S. posting HTML is no good. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNtu84qH/mIJW9LeBAQGVCwP9Hmz/D4OHhaDbYNySuJkWSKWPW7EqV2mG e6rGEj+IOn5E0cJ1VRDLDu7ga/kCJIEHfT5+2EEbnjUNWtehPuh8M4omNHsPexgG ShHW8440kY2YJ60zQmFzR97z+k2BiXxOPvufmM1Ma8cwWpOZoNval6oa5B6i358f eGRoHhb9Esc= =Zxmy -----END PGP SIGNATURE-----
Current thread:
- RE: Firewall comparison John McDonald (Mar 01)
- Re: Firewall comparison Bennett Todd (Mar 01)
- Re: Firewall comparison Steve George (Mar 03)
- <Possible follow-ups>
- RE: Firewall comparison ark (Mar 02)
- Re: Firewall comparison Matt Curtin (Mar 03)
- Re: Firewall comparison Christopher Nicholls (Mar 04)
- Re: Firewall comparison wolt (Mar 05)
- Re: Firewall comparison dreamwvr (Mar 05)
- Re: Firewall comparison Christopher Nicholls (Mar 04)