Thomas Lopatic, John McDonald, and Dug Song wrote a good paper a while back
on some of the issues with Checkpoint firewall-1. It gets into some of the
specific protocol design weaknesses. Overall a very good analysis. Rather
than spending time on the confusion that can occur from FW-1
misconfiguration, this thread might be better shifted to some of the
protocol weaknesses and exploits that have existed in previous and current
versions of FW-1.
i.e. Bypassing rulechecking for FTP because of an incorrect parsing
algorithm in versions 3.0.....i.e. misuse of the PORT command
Fastmode and why it is dangerous.......rsh/rexec stderr
vulnerabilities.....
There are others but I think this thread would be better served through a
discussion of some of the protocol weaknesses. If I was going to make a
decision to not use FW-1 for DoD or anything for that matter.....it might be
of value to consider this information.
http://www.dataprotect.com/bh2000/
-Sam
----- Original Message -----
From: "Peter Capelli" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Larry Paul" <[EMAIL PROTECTED]>; "Saso Virag" <[EMAIL PROTECTED]>;
"firewalls_list" <[EMAIL PROTECTED]>
Sent: Thursday, November 30, 2000 4:10 PM
Subject: RE: Emily's response to the rumors
> Hmmm, that link you attached didn't really have anything to do with
> large rulebases. Besides, I've worked on CP firewalls that have 200+
> rules, 600+ translation rules, and many thousands of objects, and rulebase
> compilations have never taken longer than 5 minutes. Not that I recommend
> a monster rulebase like that, its too large to manage, but we've been
doing
> that since 3.0a without trouble.
>
>
> -p
>
> "Those who would give up essential liberty for temporary safety deserve
> neither liberty nor safety" - Benjamin Franklin, 1759
>
>
> [EMAIL PROTECTED]@Lists.GNAC.NET on 11/30/2000 01:21:25 AM
>
> Sent by: [EMAIL PROTECTED]
>
>
> To: "Larry Paul" <[EMAIL PROTECTED]>, "Saso Virag" <[EMAIL PROTECTED]>
> cc: "firewalls_list" <[EMAIL PROTECTED]>
> Subject: RE: Emily's response to the rumors
>
>
>
> But here is an interesting tidbit: a 175+ rules rulebase with about 4,000
> objects. From the GUI, will take almost an hour to compile and load the
> policy.. Not sure if this has been addressed in the latest service pack or
> not...
>
> Refer to a discussion thread
>
http://www.securityportal.com/list-archive/firewall-wizards/2000/Sep/0161.ht
ml
>
>
>
>
> At 10:59 PM 11/29/00 -0600, Larry Paul wrote:
> >The Universe produces them faster & faster. (us idiots) Security expert:
> >Yesterday I couldn't spell it, today I are one :>) Another reason for
> >considering AI in security. That cold, hard voice ringing out "EXCUSE
> ME!!
> >EXCUSE ME!!! Are you sure you want to leave this configured like this?? "
> >"Phew, No! Thanks Robby."
> >The universe is bounded, unfortunately human stupidity is not.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
