Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FirePass questions

From: "Ben Nagy" <ben () iagu net>
Date: Tue, 18 Feb 2003 10:03:18 -0000
----- Original Message -----
From: <john.smith () minolta-qms com>
To: <firewall-wizards () honor icsalabs com>
Sent: Friday, February 14, 2003 4:37 PM
Subject: [fw-wiz] FirePass questions



Greetings Everyone,

I've searched through the 2002 and 2003 Bugtraq, Firewall Wizards and VPN

lists and not come up with anything.


A group within our company is looking at the FirePass appliance

(www.uroam.com).  The appliance appears to work by punching a hole through
your firewall and offers a whole range of services.


My opinion is that this is a *very* bad thing:


As opposed to a "standard" VPN solution, which works how, again? ;)

Without the hand-waving and chest thumping parts, it looks like this box
just uses SSL to replace the encrytpy bit of a "normal" VPN and then uses
some web middleware to enable various kinds of access. I think that Citrix
still uses a pretty similar paradigm to enable "secure" thin client
solutions in a browser using java.

I wouldn't worry about the crypto end of things. SSL is an OK protocol,
which is well understood, and nobody is going to crack your 1024 bit server
key. If they do I'll buy you a beer, I promise.

I would agree that quick and dirty enabling of client access out to random
remote devices is a problem, but it's not one that's unique to this
solution - most well thought out VPN solutions consider the concept as well.
(As far as I can tell, that was a total of two solutions worldwide in
FY2003)

The particular, worrying, risks which this genre of solutions add to the mix
are bad browsers and hostile server attacks based on poor handling of
server-certs in a number of ways. These are pretty nasty risks, and
yossarian's comments in those areas seem sensible to me.

So, in short, I agree that it sounds like an awful can of worms, but I think
that focused analysis of where the failings are is more likely to steer you
on the right security path than the general primal monkey-fear reaction.
Having said that...

Ook, ook, this looks like a dodgy-ass box. Run away! Spank own backside!

ben


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: