No I don't but I am arrogant enough to think the ability to eliminate
firewall pretenders is easy. (For those of you that understand this at a
much deeper level - I am not oversimplifying in the examples I give -- I
just don't yet understand it like you do.)
Does it protect you at the transport layer? Will it filter spoofing
attacks? Will it block specific IP ports? Most Likely it succeeds at this
level?
Does it protect you at the protocol level? Will it make certain that
requests for certain protocols are well formed and do not run the risk of
causing buffer overruns? Will it make certain that other application
protocol level exploits are not in play?
Does it protect you at the application layer? Will it filter your email for
harmful MIME content? will it check that Java applications, Java Script,
and ActiveX script are signed or harmless? Does it have a reasonable
strategy to checking recursively for attacks as in if I zip a 90 MB file,
and thn zip copies of that file can I hide a virus several layers deep, or
can I crash your email with a small file that expands in a chines gift box
fashion to something enormous? Does it check that files sent through AIM,
ICQ, or IRC are harmless?
I think a true firewall checks at the first two levels and can be extended
at the third level.
I suspect the program you are looking at only operates at the first level
I've described. This leaves you open to host of extant and possible
exploits.
At the second level - Numerous exploits exist that would cause a buffer
overrun with malformed requests. The results of these could be the
execution of machine code which on the Intel platform could be anything.
This is most likely to be a Denial of Service but could include the exposure
of private data especialy if paired with programs like Back Orifice or
At the Third level this does not include anything that could not be included
at a second level attack but is more likely to include the exposure of
private data. A far greater range of lusers can attack at this level as
demonstrated by the recent and constant barage of attacks that operate at
this level. While many users can be educated not to click on any damn thing
a possibly equal number cannot. Assume users are dumb enough to click on an
attachment because it is there andyou might actually secur your environment.
The Zipped_Files 'Worm' operates at thsi level. ( Hey folks we're educated
in this shit - Zipped_Files is a virus with an only slightly user dependent
transmission method but it is not a Worm. If Zipped_Filles took avntage of
the MIME attachment fikename expoit in Outlook it would bgin to cross the
border between Worm and Virus. Some user interaction would still be
required but when it crosses from clicking an email attachment to merely
opening an email or even merely opening email is where I think you start to
head to being a Worm. In the strict sense -- as in the way the Jargon file
would define it -- opening email is user interaction, but if opening email
triggered ransmission I would call it a worm. If the user must go deeper
than opening an email to trigger transmission then I think we are talking
about a virus. In any event if you are not protected against the third
layer of malformed applications then you are not protected against attacks
that already exist inthe wild and you could - realistically 0 lose every
piece of data on your networks.
I would hope that you could recover yesterdays information from a backup -
but is an organization wide man-day (realistically more) worth the 4-5K it
will cost you to lock down tothis level?
-----Original Message-----
From: j [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 25, 1999 11:48 PM
To: [EMAIL PROTECTED]
Subject: Freegate Internet Appliance
We are in the process of evaluating Freegate's OneGate 1000 hardware
appliance.
It promises firewall, VPN, email, DNS, DHCP, etc, etc...
This feels _too_ good to be true, but the $$$ savings are making my CFO pant
over the cost savings vs. other solutions we've examined (Email srvr,
seperate firewall, seperate VPN hardware, etc).
Does anyone have any experience with this beastie?
Much appreciated.
jim
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
