At 10:44 AM 5/4/01 -0400, Jim Brown wrote:
>Security holes in lower layers? Where did you come up with that, your Cisco
>rep?
>
>-----Original Message-----
>From: Eugene Nine [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, May 03, 2001 5:01 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Cisco PIX vs Checkpoint FIrewall-1 [7:2878]
>
>
>PIX goes up to layer 4, so it won't do things like URL filtering.
>Checkpoint (or other SW) can do higher layer protection but may not be as
>well at the lower layers (due to security holes in the OS, etc)
>Eugene
I think he is just pointing out that the underlying OS can be a potential
security vulnerability. It is kind of the "Don't use OpenBSD + IPFilter,
use a PIX box since it is dedicated, no holes in the OS, etc".
My take on it is that, everything needs some level of software to run, even
the Pix, so if the argument is merely the OS, even the Pix is
vulnerable. A cursory look at bugtraq will show that Pix has been just as
vulnerable as any other OS. (ok, maybe not as bad as some of the more
popular ones we know.... ;) )
One of the real reasons why people felt the "OS" could be vulnerable (in a
general sense, not specifically to checkpoint) is the services they
run. It is somewhat trivial to lock down any box running any OS down to
minimal services. Very rarely are there inherent flaws in the OS itself
that leads to a compromise, it is the services that do so. However, most
people are not "unix saavy" to lock down the box properly, so they open
themselves up to script kiddies.
The Pix does a bit more (mini-proxy like actions like 'fixups'), so it
actually lends itself to be slightly more vulnerable than say an OpenBSD
box + IPFilter. However, there are pros and cons in any field. (learning
curve of a unix box, OS is not optimized for packet filtering like Pix box,
checkpoint more expensive? etc). I do not know much about the checkpoint.
Also, nowadays, there are very few OS specific holes, it's usually bad
services/daemons.
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3205&t=2878
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]