RE:SANS Top Ten and Commercial Firewalls

["manatworkyes moderator" <devekboy () hotmail com>]

A firewall is only ONE tool in the chain of products that should be used in 
order to mitigate vulnerabilities.

Personally, I am a Check Point fan. I admit and take full responsebility :-)
Their product line is far more then a firewall. Thus, mitigation of the 
problems can be achieved using their different tools, all are centrally 
managed.

For example :

W1,W2 are controlled with their Smart Defense.  U2 , including the Slapper 
worm, can also be mitigated if you only allow SSLv3 based traffic to your 
servers. (requires some INSPECT work over tcp/443)

You skipped W4 which can be controlled using CIFS rules. In this way, only 
authenticated users can access defined network shares (so here goes W5 as 
well)

They have code to check the bind vul. as well etc.
In my opinion, as a SECURITY device they are the best (Still, they can do 
more.

For the client side, it is possible to use the personal firewall and SCV 
checks. This verifies pre-defined rules that if not matched, the user will 
not be able to get into the VPN. A check can be to look for specific 
registry settings, or  specific IE settings etc.

So, to make this short (unlike you I'm lazy:-) In my opinion they cover 
about everything.

--D



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Gary
Flynn
Sent: Wednesday, October 02, 2002 7:28 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] SANS Top Ten and Commercial Firewalls


Being efficient (as opposed to being lazy :) I thought
I'd pose a question here to a body of folks familiar with
the firewall marketplace rather than scour individual
commercial web sites where details are often rare.

Of the SANS "Twenty Most Critical Internet Security
Vulnerabilities" ( http://www.sans.org/top20 )
how many are addressed by the majority of commercial
firewalls without resorting to blocking the associated
port and service entirely?

In other words, how many of them can detect and block
things like:

W1. IIS malicious requests for cmd.exe and sample files
   and buffer overflows.
W2. Requests for MDAC access
W3. Malicious SQL Server requests based on patched defects or
   sa access without a password.
W5. Null netbios access (as opposed to all netbios access)
W6. Netbios sessions based on LM Hash.
W7. Netbios sessions to accounts with no passwords.
W8. Malicious HTTP responses exploiting IE defects.
W9. Remote Registry Access
U1. Malicious RPC calls
U2. Malicious HTTP calls to Apache web servers exploiting the
   OpenSSL or Apache chunk handling defects.
U3. Malicious SSH requests exploiting SSH defects.
U4. Malicious SNMP requests or requests with the community
   name blank or equal to "public".
U5. Malicious requests to FTP servers exploiting wu-ftp defects.
U7. Malicious requests to the line printer daemon.
U8. Malicious requests to sendmail.
U9. Malicious requests to bind.

I know there will be variances and subsets but I was hoping
to get some kind of general feeling for the overall coverage.
If you know of a better place to pose the question, please
let me know.

thanks,

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards