Firewall Wizards mailing list archives

RE: Firewall comparison

From: ark () eltex ru
Date: Tue, 2 Mar 1999 13:26:43 +0300

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

John McDonald <Johnm () Networkguys com> said :

The only problem with the firewalls you've mentioned....They cannot
detect fragmented packet UDP storms..which is the very first penetration
test we attempt to penetrate the firewalls of very recognizable
companies.


That's not true. IPFilter on BSD systems handles and detects any 
fragmentation problems pretty well. Any application gateway is _not_
vulnerable to any kind of IP-based attack unless the host system IP stack
is. The detection problem relies on things other than AG although.
But who said firewall _must_ be IDS itself? Could be completely
different things..

These firewalls need to be configured from scratch and those who are
very intent on keeping their secret information secret will rely on more
robust firewalls that are incredibly more secure. We have run
penetration test on every firewall imaginable over the course of the
last five years. Our analysis has lead us to Firewall-1 being the most
secure firewall, when properly configured, on a Unix platform.


Sounds funny. AFAIR it was _Firewall-1_ that suffered various kinds of
fragmentation problems due to technology used there and implementation
problems.

We have
been able to easily penetrate almost every firewall in under 24 hours,
most in under 20 minutes. Generally due to misconfiguration.


Hell, i want to have a look. Could you please describe a couple of cases
and technique involved? (something really interesting, hacking PIXen
with bidirectional NAT and misconfigured filters is not..)

Please don not rely on home grown firewalls in a commercial organization
unless you posses *extensive* knowledge of security and routing.


Routing? Why routing? Routing is router's business, firewall can just
have all routing protocols disabled and use pure static.

Otherwise, you may need to look for another job, because being hacked is
NOT fun and is NOT and option for repeatable companies.

 
P.S. posting HTML is no good.

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNtu84qH/mIJW9LeBAQGVCwP9Hmz/D4OHhaDbYNySuJkWSKWPW7EqV2mG
e6rGEj+IOn5E0cJ1VRDLDu7ga/kCJIEHfT5+2EEbnjUNWtehPuh8M4omNHsPexgG
ShHW8440kY2YJ60zQmFzR97z+k2BiXxOPvufmM1Ma8cwWpOZoNval6oa5B6i358f
eGRoHhb9Esc=
=Zxmy
-----END PGP SIGNATURE-----

Current thread:

RE: Firewall comparison John McDonald (Mar 01)
- Re: Firewall comparison Bennett Todd (Mar 01)
- Re: Firewall comparison Steve George (Mar 03)
- <Possible follow-ups>
- RE: Firewall comparison ark (Mar 02)
- Re: Firewall comparison Matt Curtin (Mar 03)
  - Re: Firewall comparison Christopher Nicholls (Mar 04)
    - Re: Firewall comparison wolt (Mar 05)
    - Re: Firewall comparison dreamwvr (Mar 05)