Thomas,
#of course I have been exaggerating a bit (with the salad bowl thing, not
#with the thing about the multiple lines of defense). But the thing is
#that Dug Song and friends have not tried to make swiss cheese of PIX,
#Gauntlet or any other firewall - just because you find FireWall-1 almost
#everywhere and it therefore makes an interesting target.
#What makes you so sure that PIX and Gauntlet will resist such determined
#attacks better than FireWall-1? I do not think that Check Point's
#engineers are any worse than the engineers at any other company. In
#fact, when the FTP PASV thing came up PIX was actually more vulnerable
#than FireWall-1.
#All I am saying that we do not have any proof that there aren't a lot of
#equally serious holes in any other firewall. I could very well imagine
#that we will see another vendor's firewall being "statefully inspected"
#at next year's Black Hat Briefings. :-)
#Well, in my opinion, it always boils down to the same thing. Use more
#than one line of defense.
I absolutely agree with you on the multiple lines of defense and I
also think that Firewall-1 is a better product than PIX. I have some
experience with the PIX and I probably wouldn't suggest it to anyone as a
solution. I don't know much about Gauntlet so I can't comment on whether
or not it is a better product than Firewall-1. Gauntlet used to have
application layer proxies which I like better than Stateful Inspection but
now they only bring suspect packets up to the application layer. I think
more things could go wrong with that that with staying at either the
application layer or the session layer. I would like to see Dug Song and
friends take on something like the Sidewinder or Cyberguard. They would
have to deal with application layer proxies and a trusted operating system.
Dug if you are listening take on the Sidewinder at next years Blackhat.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
