>From: "Paul D. Robertson" <[EMAIL PROTECTED]>
>Maybe because most people who install Gauntlet turn off everything that
>isn't totally necessary? I don't know why anyone would choose a default
>installation of a critical security product. I've installed and helped
>others install a fair number of Gauntlet systems (along with a few
>different commercial firewalls- none of which recieved a default install),
>and I've never had even one with Cyberpatrol enabled
Hey Paul when you do an install, do you use the GUI tool to administer the
firewall? My guess is yes since that is where most people do it now. Did
you happen to know there is a neat little bug in the GUI tool? Oh yea, if
you turn off the Cyberpatrol proxy, it says its off, but nope, its still
running. So now lets assume that there are installers out there that think
they are turning it off even when they are not. Not such a neat little
issue eh?
>>Perhaps also because most of them have had the product for more than 30
>days? It certainly took a lot longer than that at my last install to get
>through testing/patching/testing
It takes you longer then 30 days to install a Gauntlet Firewall? Please
remind me note to invite you to do an install at our site! I agree that
there is testing and patching, but 30 days?
>As to why there's been little discussion, perhaps it's because it's not
>that interesting. Since you can MD5 the installation through normal
>procedures and archive those off-box, it's not that difficult to check to
>see if your system has been changed if you had Cyberpatrol activated.
The concern is not if the system has been changed. Obviously now people are
becoming aware of the issue. The problem is the people who were not aware
or might still not be. If I were going to exploit this, I would just write
code that gave me a remote shell when I attacked the port. I would then
just restart the daemon when I was done. Now there is no code loaded on the
box and MD5 wont be finding anything. So I am confused how the first
exploit of this type (As in gaining access to the firewall) is not
interesting??? I just read an article over at businessweek about this
exploit under the BW daily section and after reading that it seems even more
interesting.
>It looks to me like the widely available exploit code requires a
>compromised client or malicious Web server to realize, since you can't
>connect to the http proxy from the external network even in a default
>install.
I am not sure what code you saw, but the code over at security focus can be
used by anyone on any remote machine. Granted that it is setup to be used
from a Linux box, but find me one person who doesnt have linux now that has
a clue whats going on. Not to mention its very easy to port.
>
>Lastly, it could be because most of us are jaded about code quality or
>firewalling anymore.
I do agree with you there. If you look at all the exploits coming out on
security products, you can't help but feel jaded.
_Gramble_
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
