On Thu, 27 Jul 2000, Michael Rasmussen wrote:
> Word has it from some colleagues that Checkpoint was just made to look
> like swiss cheese at the Black Hat conference in Las Vegas.
> Supposedly the full information will be available next week, and
> Checkpoint has released a service pack today to fix, or supposedly fix
> some of the problems. I was told that a group demonstrated a number
> of holes and vulnerabilities that have not been released yet, but they
> have been working with Checkpoint to get them fixed before disclosure.
>
> Is anyone aware of the details? If this is true - it is not good for
> Checkpoint!!! - [To unsubscribe, send mail to [EMAIL PROTECTED]
A pretty good summary was posted to the firewall-1 mailing list, I'm not
sure if Checkpoint archives it or if any 3rd parties do. The exploits
were all pretty varied and included module athentication replay and brute
forcing, FWZ encapsulation, anti-spoofing errors in configuration, FIN
scanning, PASV and rsh errors. They included some recommendations in the
presentation. Dug's poped up here before, so hopefully he'll be able to
post a link to the slides soon if he's actively reading it. I've already
packed everything, and I don't want to mess up anything with vague
recollections. [but I'll try anyway- my notes are already packed though]
Blocking access to the auth port and dropping FWZ at the border seems to
be a good mitigation to me if you haven't already drunk the purple VPN
Koolaid, along with blocking broadcast and multicast addresses, not using
ANY, not turning off localhost inter-module authentication, don't stick
publicly writable FTP servers behind FW1 (it's a good excuse to drop FTP
as a protocol...), upgrade and apply the patches, watch the fastpath stuff
or don't use it, make sure your anti-spoofing rules are complete and
correct.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
