nanog mailing list archives
Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
From: "Christopher L. Morrow" <chris () UU NET>
Date: Thu, 5 Feb 2004 17:15:26 +0000 (GMT)
not that I'm a fan of any firewall product in particular, but... On Thu, 5 Feb 2004, Suresh Ramasubramanian wrote:
"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi () iss net> writes:Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163 You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but .. Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :) Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely
Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault with the vendor or the person(s) implementing or the 'management' of said person(s)? Even an openbsd firewall is a problem if not properly admin'd.
That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network.
port 22 is bad though, right? Clearly this was the wrong person to be doing this job, he could have just as easily been looking at netflow output and dumped this traffic with an acl on his fancy router... The tool used is immaterial, his level of clue is what is at issue.
while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc.
there is a dilbert about this very thing ;) "Harness the power of CERTIFICATION!!!"
Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :(
Nope, but pointing out their failures in a sensible manner to their management is helpful... sometimes atleast :( Failing any action there the whole group is just shooting themselves in the foot and there isn't much you can do about that, is there? (except to get out of the blast radius)
Current thread:
- ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Ingevaldson, Dan (ISS Atlanta) (Feb 04)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Alexei Roudnev (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Martin Hepworth (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Crist Clark (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Alexei Roudnev (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Scott McGrath (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Christopher L. Morrow (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Suresh Ramasubramanian (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 JC Dill (Feb 05)
- Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Crist Clark (Feb 05)