I would say about 90% of the vulnerabilities can be dealt with
a proper configuration, but the out-of-box experience of FireWall-1
does not completely address this.
Dug Song already noted that Check Point posted the vulnerabilities
patched by 4.1 SP2 and 4.0 SP7 and 4.0 SP5 HotFix for Nokia
are displayed here:
http://www.checkpoint.com/techsupport/alerts/list_vun.html
Even a carefully crafted policy is vulnerable DNS and FTP PORT
attacks as demonstrated at Black Hat.
So far, we have learned about new vulnerabilities with FireWall-1, but
that doesn't mean that other firewalls are less vulnerable. I perceive
FireWall-1
to be the most likely to attract scrutinization and it is a matter of time
before we
learn about the weaknesses within other products.
I have definitely bought into the VPN punch, but I left FWZ a long time ago.
Regardless
of the protocol, VPNs are emerging because they are the only way that the
Internet
can scale into the realm of IPV6.
Jerald Josephs
[EMAIL PROTECTED]
----- Original Message -----
From: "Robert Stanley" <[EMAIL PROTECTED]>
To: "Paul D. Robertson" <[EMAIL PROTECTED]>; "Michael Rasmussen"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, July 31, 2000 2:21 PM
Subject: RE: Checkpoint Vulnerabilities???
>
> My understanding of the vulnerabilities were that they were mostly due to
> improper (loose) configuration. With few exceptions such as some of the
more
> recent DOS attacks. These attacks affect other stateful firewalls as well
> (PIX). Most of the holes presented in the conference are curable simply
> through proper firewall configuration. Bottom line...firewalls should be
> configured and administered by trained professionals. Software should
always
> be updated and patched, as is true with any OS as well.
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Paul D. Robertson
> > Sent: Saturday, July 29, 2000 10:25 AM
> > To: Michael Rasmussen
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Checkpoint Vulnerabilities???
> >
> >
> > On Thu, 27 Jul 2000, Michael Rasmussen wrote:
> >
> > > Word has it from some colleagues that Checkpoint was just made to look
> > > like swiss cheese at the Black Hat conference in Las Vegas.
> > > Supposedly the full information will be available next week, and
> > > Checkpoint has released a service pack today to fix, or supposedly fix
> > > some of the problems. I was told that a group demonstrated a number
> > > of holes and vulnerabilities that have not been released yet, but they
> > > have been working with Checkpoint to get them fixed before disclosure.
> > >
> > > Is anyone aware of the details? If this is true - it is not good for
> > > Checkpoint!!! - [To unsubscribe, send mail to [EMAIL PROTECTED]
> >
> > A pretty good summary was posted to the firewall-1 mailing list, I'm not
> > sure if Checkpoint archives it or if any 3rd parties do. The exploits
> > were all pretty varied and included module athentication replay and
brute
> > forcing, FWZ encapsulation, anti-spoofing errors in configuration, FIN
> > scanning, PASV and rsh errors. They included some recommendations in
the
> > presentation. Dug's poped up here before, so hopefully he'll be able to
> > post a link to the slides soon if he's actively reading it. I've
already
> > packed everything, and I don't want to mess up anything with vague
> > recollections. [but I'll try anyway- my notes are already packed though]
> >
> > Blocking access to the auth port and dropping FWZ at the border seems to
> > be a good mitigation to me if you haven't already drunk the purple VPN
> > Koolaid, along with blocking broadcast and multicast addresses, not
using
> > ANY, not turning off localhost inter-module authentication, don't stick
> > publicly writable FTP servers behind FW1 (it's a good excuse to drop FTP
> > as a protocol...), upgrade and apply the patches, watch the fastpath
stuff
> > or don't use it, make sure your anti-spoofing rules are complete and
> > correct.
> >
> > Paul
> > ------------------------------------------------------------------
> > -----------
> > Paul D. Robertson "My statements in this message are
> > personal opinions
> > [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> >
> > PSB#9280
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
