On Tue, 30 May 2000, Steve George wrote:
> As to Grambles original point, I'm not sure why there's been little
> discussion of this, perhaps people don't realise the magnitude of a full
> default remote exploit of a 'major' firewall system? I'm also not sure how
Maybe because most people who install Gauntlet turn off everything that
isn't totally necessary? I don't know why anyone would choose a default
installation of a critical security product. I've installed and helped
others install a fair number of Gauntlet systems (along with a few
different commercial firewalls- none of which recieved a default install),
and I've never had even one with Cyberpatrol enabled. Since it's
generally not the choice of the plug-n-pray crowd, it could be that >95%
of the install base wasn't ever vulnerable.
Perhaps also because most of them have had the product for more than 30
days? It certainly took a lot longer than that at my last install to get
through testing/patching/testing. [NAI needs *serious* help in the QA
department if the release I tried last year is any indication.]
Statistics for number of systems would be fairly difficult to derrive
under the NAI per-seat for lots of products model, where you could deploy
as many as you liked for the per-user fee.
As to why there's been little discussion, perhaps it's because it's not
that interesting. Since you can MD5 the installation through normal
procedures and archive those off-box, it's not that difficult to check to
see if your system has been changed if you had Cyberpatrol activated. The
fix was put up pretty quickly, but I don't know if NAI did any type of
notification to people who might have been inside the 30-day window or if
Mattel did any customer notification though.
It looks to me like the widely available exploit code requires a
compromised client or malicious Web server to realize, since you can't
connect to the http proxy from the external network even in a default
install.
Lastly, it could be because most of us are jaded about code quality or
firewalling anymore. There's enough crap tunneled over HTTP these days to
make firewalling a much lower bar than it has been in the past, and all
the major vendors in this space seem to have had issues with code quality,
design, or configurations in the last few years.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
