Vulnerability Development mailing list archives

Re: Information on Raptor

From: jcrooks () CDNX CA (James Crooks)
Date: Tue, 22 Feb 2000 01:17:28 -0800


Malikai wrote:

below are the issues I have with this product. I have just recently taken
the NetGuard and NetMaster courses with Axent for a client of mine. I had
a few big issues personally, however I am not sure if they are really
issues, or if I was miscommunicated to during the class.


I found that when I took the Raptor courses a few years ago, the instructors
weren't from Raptor (3rd party contractors) and either didn't fully understand
the Raptor designs or didn't agree with them. I did find that I got
mis-information or incomplete information from the instructor in a number of
instances.

I will start off with what I know are issues, and then continue with what
I believe are. None of this is certain, except for the performance ones,
which are common to all application gateways.

1. Performance
This is an application gateway, which is slower than (allmost) any packet
filtering system.


As an application gateway, Raptor can do more for you like checking protocol
syntax (HTTP, SMTP, etc.) for valid traffic and denying access if an invalid
protocol format is found. To be fast, packet filtering systems can't inspect
upper layer protocols to any great extent, so they intrinsically provide less
protection.

2. DNSD
Apparently this is a full function DNS server capable of handling all
standard dns functionality. This also wants to be your primary dns
server. (Your firewall is your dns server too?!) What about dns cache
poisoning?


this is in place to support sites that want an "all in one" solution (includes
"split" DNS for different views from eith side). You can still provide DNS
services on other boxes for external customers and still allow internal DNS
requests to flow thru the firewall to the Internet.

3. VPN logging
I can't really believe this one and hope there is some form of workaround
for it however, this is what I understood. This is the default configuration.
There is no logging of VPN/tunneled traffic. This means there is no way
to audit any vpn traffic, or store logs of anything going through the vpn
layer of the proxy. Blindfolded?


In Raptor 6.5 VPN/Tunnelled traffic is handled by the GSP (Generalized Service
Passer) with full logging support.

A summary of what I understand is fairly simple here. Application gateways
(when not single application gateways, like http proxies), are very
complex, slow, and fail to keep it simple. This is a firewall we are
talking about here, and why should internal (or even worse,
external) clients be talking directly to the firewall? I don't mind tools
like the MimeSweeper, or any specific function proxies. However, when we
shove it all into one box, we just slowed down and decresed by a magnitude
the security of the gateway.


Application proxies aren't for everyone:

   * Application proxy performance has a significant overhead per connection
     (you've got to do twice the number of TCP connections just for starters, and
     then you get to the proxy verification, etc.) as well as the overall
     internal/external application response time profile - if you want or need
     super-fast then stay away from proxy (but you also lose some application
     level security protection).
   * I don't think you can argue that a proxy external to the firewall is any
     more or less efficient than an internal one (you've to the extra connection
     to make anyway and and external box means another platform and OS to
     support, not to mention another vendor...)
   * Offering services (including proxy) directly from the firewall is a
     philosophical issue and could easily take on the aspects of a religious war
     (just like UNIX/Linux vs NT!).
   * I'm not sure that you can categorically say that internal proxies decrease
     the security of the gateway (I can spin some "interesting" port 80 DOS and
     other attacks straight thru a stateful inspection box that my proxy box
     stops cold).

/jc

-Malikai

On Sun, 20 Feb 2000, Martin M Samson wrote:

Good day to all,

This is my first posting to this list.

We own a Raptor Firewall for NT Integrated Entreprise Network.
The version is 6.0.

We've been told (by consultants) that this type of firewall has
many flaws.

Where could we find a complete list of points to investigate on
the vulnerability of our firewall?

Positive/negative feedback on the product is also welcome...

We will need to buy a second firewall to reorganize our security
this year, what is (in your opinion) the best machine?


Please reply to :  Martin.Samson () visa desjardins com



Merci, Thanks!

Mart!
---------
Bonne journie! / Have a nice day!

Pensie de la semaine : En apparence, la vie n'a aucun sens, et
pourtant, il est impossible qu'il n'y en ait pas un! (Albert
Einstein)
*****************
Martin M Samson
Consultant, Gestion de projets.
514-994-2243
http://pages.infinit.net/cci


--
James Crooks BScCS I.S.P. CISSP, Technical Consultant-Technology
Canadian Venture Exchange 604-643-6568 FAX 604-643-6563
mailto:jcrooks () cdnx ca http://www.cdnx.ca ftp://ftp.cdnx.ca

Current thread:

Information on Raptor Martin M Samson (Feb 20)
- Re: Information on Raptor Yiorgos Adamopoulos (Feb 21)
- (Fwd) Re: vulnerability database Felix Harris (Feb 21)
- Re: Information on Raptor Malikai (Feb 21)
  - Re: Information on Raptor James Crooks (Feb 22)
    - Re: Information on Raptor Malikai (Feb 23)
    - Consulting lameness, RE: Information on Raptor Ben Grubin (Feb 23)
    - Single SignOn Vanna P. Rella (Feb 23)
    - Re: Single SignOn Simple Nomad (Feb 24)
  - office 2k security bug? Torgeir Hansen (Feb 22)
    - R: office 2k security bug? Raistlin (Feb 23)
    - Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released Grzegorz Stelmaszek (Feb 23)
- Re: Information on Raptor James Crooks (Feb 21)
- Re: Information on Raptor David J Laumann (Feb 21)
- <Possible follow-ups>
- Re: Information on Raptor Marcelo Amaral - ALTAVISTA.NET (Feb 21)

(Thread continues...)