Firewall Wizards mailing list archives
Re: FirePass questions
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 18 Feb 2003 10:03:18 -0000
----- Original Message ----- From: <john.smith () minolta-qms com> To: <firewall-wizards () honor icsalabs com> Sent: Friday, February 14, 2003 4:37 PM Subject: [fw-wiz] FirePass questions
Greetings Everyone, I've searched through the 2002 and 2003 Bugtraq, Firewall Wizards and VPN
lists and not come up with anything.
A group within our company is looking at the FirePass appliance
(www.uroam.com). The appliance appears to work by punching a hole through your firewall and offers a whole range of services.
My opinion is that this is a *very* bad thing:
As opposed to a "standard" VPN solution, which works how, again? ;) Without the hand-waving and chest thumping parts, it looks like this box just uses SSL to replace the encrytpy bit of a "normal" VPN and then uses some web middleware to enable various kinds of access. I think that Citrix still uses a pretty similar paradigm to enable "secure" thin client solutions in a browser using java. I wouldn't worry about the crypto end of things. SSL is an OK protocol, which is well understood, and nobody is going to crack your 1024 bit server key. If they do I'll buy you a beer, I promise. I would agree that quick and dirty enabling of client access out to random remote devices is a problem, but it's not one that's unique to this solution - most well thought out VPN solutions consider the concept as well. (As far as I can tell, that was a total of two solutions worldwide in FY2003) The particular, worrying, risks which this genre of solutions add to the mix are bad browsers and hostile server attacks based on poor handling of server-certs in a number of ways. These are pretty nasty risks, and yossarian's comments in those areas seem sensible to me. So, in short, I agree that it sounds like an awful can of worms, but I think that focused analysis of where the failings are is more likely to steer you on the right security path than the general primal monkey-fear reaction. Having said that... Ook, ook, this looks like a dodgy-ass box. Run away! Spank own backside! ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- FirePass questions john . smith (Feb 14)
- Re: FirePass questions yossarian (Feb 14)
- Re: FirePass questions Ben Nagy (Feb 18)
- <Possible follow-ups>
- Re: FirePass questions Joseph Steinberg (Feb 18)