Re: SANS Top Ten and Commercial Firewalls

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 4 Oct 2002, Devdas Bhagat wrote:

> > (A) Project history- Postfix and Qmail have held up well, proftpd erm, 
> > hasn't.  I haven't followed the other two, since FTP is on my list of "Horribly 
> > broken protocols I'll never support."
> I'll agree wuith this. Proftpd has not had a showstopping bug except for
> a DOS due to globbing (IIRC). There have been minor bugs, but none of

Just after Flood dropped the project I seem to recall a spate of exploits, 
one after another[1].  Looking back, I count 3 definite root exploits, a 
couple of other issues that'd make me not want to put it in a hostile 
environment.

Personally, I'd have looked at one I hadn't run before, or the BSD one, 
which has only had a couple of issues in the last few years, and I don't 
think any of them were unique to that instance.

> them were the security kind.
> I haven't runa ftpd for quite some time, and when I was looking (about
> Nov/Dec 2000), proftpd was the best choice due to its easy config and
> relative security. Current status is a wholly differnt issue.

Personally, I'd look elsewhere given the history (and that's not saying it 
hasn't been fixed, it's saying I don't trust the original goal of security 
in the design given it's lack of compliance with that goal.)  I'll give 
you "easy to config," bedause it met that goal quite well, but in Nov of 
2000, it was just done with a raft of expliots, bugs and a change of 
maintainership- none of them particularly confidence insprining in my 
opinion.

> > (B) Look at the code.
> This always works, but its a question of time on the security people's
> part.

Yes, but if you never do it, you'll never get time budgeted for it.  I 
used to do per-protocol risk assessments for weeks before allowing or 
disallowing anything new- sometimes it wasn't overly necessary, it was 
*obvious* that the answer was going to be no, but doing some of those 
anyway got the organization in tune with "new stuff takes weeks of 
examination."

>  > > (C) Developer history.
> Good stance to go by for first filtering.

People used to grep for "Vixie" to find exploits.  Sad, but true.

> > (D) Developer's understanding of the protocol and its weaknesses.
> Difficult to judge rapidly. Since the weaknesses are usually at the
> boundaries. Also, the developers understanding of the language used.

In that case use it in reverse, add points to those who can and do 
articulate it well.

Paul
[1] ProFTPD 1.2 pre1-pre5 Long Path Buffer Overflow
    ProFTPD 1.2 .0rc3-1.2.2 PTR hostname ACL/logging
    ProFTPD 1.2 .0rc3-1.2 Globbing issue
    ProFTPD 1.2 pre9-1.2 SITE DoS
    ProFTPD 1.2 pre9-1.2 SIZE DoS
    ProFTPD 1.2 pre9-1.2 Probably non-exploitable cwd format string
    ProFTPD 1.2 pre9-1.2 Probably non-exploitable ERROR_MSG
    ProFTPD 1.2 pre2-1.2 pre11 USER DoS
    ProFTPD 1.2 pre1-1.2 pre10 Setproctitle() Overflow
    ProFTPD 1.2 .0rc3-1.2 pre11 SQL passwords and local users 
    I seem to recall about pre-1 or pre2 through pre-6 or so being "bug of
    the day" sorts of things.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards