Hackers Breach Firewall-1

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2610719,00.html?chkpt=zdhpnews01

By David Raikow, Sm@rt Partner
August 2, 2000 6:32 AM PT

An audience of several hundred network security professionals watched
with rapt attention last week as a trio of hackers repeatedly
penetrated one of the industry's most trusted and popular firewall
products -- Checkpoint Software's Firewall-1. The demonstration,
presented at the "Black Hat" security conference in Las Vegas,
challenged the widely accepted notion that firewalls are largely
immune to direct attack.

The panel -- John McDonald and Thomas Lopatic of German security firm
Data Protect GmbH and Dug Song of the University of Michigan --
identified three general categories of firewall attacks. They began by
demonstrating a number of relatively simple techniques by which an
attacker could impersonate an authorized administrator, and thus gain
access to the firewall application itself.

A second type of attack tricked the firewall into believing an
unauthorized Internet connection was actually an authorized virtual
private network connection. Finally, the panel exploited a number of
errors in the process used to examine traffic passing through the
firewall to sneak in dangerous commands.

While their presentation focussed on a single commercial firewall
product, panel members repeatedly emphasized that most firewalls are
vulnerable to the types of attacks demonstrated. "The problem is not
just with [Firewall-1]," said Song. "The real problem is the blind
trust most people place in their firewalls."

Greg Smith, Checkpoint's director of product marketing for Firewall-1,
pointed out that many of the attacks demonstrated relied on improper
firewall configuration, and he asserted that they presented little
practical threat. "Not a single customer has reported a problem with
any of these issues."

Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in
developing defenses against the attacks, which they released as part
of Firewall-1 Service Pack 2 immediately following the demonstration.
Checkpoint emphasized that the service pack should prevent all of the
attacks discussed, even those dependant on misconfiguration.

The panel also recommended a number of additional steps for
"hardening" firewalls, including use of strong authentication
protocols, "anti-spoofing" mechanisms and highly restrictive access
rules. At the same time, they called on the IT community to abandon
the "single firewall" model of network security and implement multiple
lines of defense.

However, one observer of the session, employed by a network switch
manufacturer, thinks Checkpoint lost some credibility over its
products. "Some of the exploited areas were because of dumb
programming mistakes in the code for the firewall itself. If the
[firewall] programmers can't get it right, what other problems may
still be lurking?" he pondered.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".