RE: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]

Fri, 04 May 2001 08:03:53 -0700 

At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
>Security holes in lower layers? Where did you come up with that, your Cisco
>rep?
>
>-----Original Message-----
>From: Eugene Nine [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, May 03, 2001 5:01 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
>PIX goes up to layer 4, so it won't do things like URL filtering.
>Checkpoint (or other SW) can do higher layer protection but may not be as
>well at the lower layers (due to security holes in the OS, etc)
>Eugene

I think he is just pointing out that the underlying OS can be a potential 
security vulnerability.  It is kind of the "Don't use OpenBSD + IPFilter, 
use a PIX box since it is dedicated, no holes in the OS, etc".

My take on it is that, everything needs some level of software to run, even 
the Pix, so if the argument is merely the OS, even the Pix is 
vulnerable.  A cursory look at bugtraq will show that Pix has been just as 
vulnerable as any other OS.  (ok, maybe not as bad as some of the more 
popular ones we know....  ;)  )

One of the real reasons why people felt the "OS" could be vulnerable (in a 
general sense, not specifically to checkpoint) is the services they 
run.  It is somewhat trivial to lock down any box running any OS down to 
minimal services.  Very rarely are there inherent flaws in the OS itself 
that leads to a compromise, it is the services that do so.  However, most 
people are not "unix saavy" to lock down the box properly, so they open 
themselves up to script kiddies.

The Pix does a bit more (mini-proxy like actions like 'fixups'), so it 
actually lends itself to be slightly more vulnerable than say an OpenBSD 
box + IPFilter.  However, there are pros and cons in any field.  (learning 
curve of a unix box, OS is not optimized for packet filtering like Pix box, 
checkpoint more expensive?  etc).  I do not know much about the checkpoint.

Also, nowadays, there are very few OS specific holes, it's usually bad 
services/daemons.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3205&t=2878
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to