Re: SANS Top Ten and Commercial Firewalls

[ark () eltex ru]

nuqneH,

On Wed, Oct 02, 2002 at 02:27:45PM -0400, Gary Flynn wrote:
> Being efficient (as opposed to being lazy :) I thought
> I'd pose a question here to a body of folks familiar with
> the firewall marketplace rather than scour individual 
> commercial web sites where details are often rare.
>
> Of the SANS "Twenty Most Critical Internet Security 
> Vulnerabilities" ( http://www.sans.org/top20 )
> how many are addressed by the majority of commercial 
> firewalls without resorting to blocking the associated 
> port and service entirely?
>
> In other words, how many of them can detect and block
> things like:

Speaking on my product..

> W1. IIS malicious requests for cmd.exe and sample files
>     and buffer overflows.

Sometimes. It is often prevented _before_ vulnerability is known if 
the exploit breaks http protocol, otherwise you can block it with regexp.

Actually preventing attacks to pulic servers is tricky thing, host based
protection works better.

We even do not advise to use our firewall to protect public servers.

> W2. Requests for MDAC access

Same as the above, regexp filtering.

> W3. Malicious SQL Server requests based on patched defects or
>     sa access without a password.

Yes.

> W5. Null netbios access (as opposed to all netbios access)
> W6. Netbios sessions based on LM Hash.
> W7. Netbios sessions to accounts with no passwords.

No. Making netbios shares public is _evil_. We plan to implement 
netbios proxy, though, but it is not ready yet.

> W8. Malicious HTTP responses exploiting IE defects.

Yes, though not 100%.

> W9. Remote Registry Access

It is netbios/smb shares issue.

> U1. Malicious RPC calls

Some. Should be improved. rpc proxy is beta.

> U2. Malicious HTTP calls to Apache web servers exploiting the
>     OpenSSL or Apache chunk handling defects.

Not yet if apache handles SSL itself. See note about IIS above.

> U3. Malicious SSH requests exploiting SSH defects.

Not yet, though we plan to implement ssh proxy.

> U4. Malicious SNMP requests or requests with the community
>     name blank or equal to "public".

Not yet, though we plan to implement snmp proxy. But it is better
to filter snmp access from outside.

> U5. Malicious requests to FTP servers exploiting wu-ftp defects.

Yes.

> U7. Malicious requests to the line printer daemon.

Yes, long before vulnerabilites became known.

> U8. Malicious requests to sendmail.

Yes, same as U7.

> U9. Malicious requests to bind.

Yes, same as U7.

> I know there will be variances and subsets but I was hoping
> to get some kind of general feeling for the overall coverage.
> If you know of a better place to pose the question, please
> let me know.
>
> thanks,
>
> -- 
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards