Re: [fw-wiz] FirePass questions

From: yossarian (yossarian@planet.nl)
Date: 02/14/03

  • Next message: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
    From: yossarian <yossarian@planet.nl>
    To: firewall-wizards@honor.icsalabs.com, john.smith@minolta-qms.com
    Date: Fri, 14 Feb 2003 22:56:41 +0100
    

    I do not know the appliance, but having researched many of the standards
    used, there are same things I can explain.

    What interests me most, is what encryption scheme they use. First
    interesting claim is that key lengths up to 1024 bits are supported. Oddly,
    they do not tell if it is symmetric or a-symmetric. For symmetric
    encryption, this is considered too much, and seeing that the system uses SSL
    and PKI, it probably means it uses 1024 bits RSA keys - maximum. If you take
    the key length judged necessary by Lenstra and Verheul for non-military use,
    published in 1999 *Plz. do Google, it is on the web, I looked it up in a
    white paper -, 1024 was good enough in 2001. Since you will probably use
    this apparatus for at least 2 years, it means your cryptographic strength
    needs to be at least what is considered the minimum for 2005, i.e. 1149
    bits.

    Secondly, it use other attributes which must be clearly defined in order to
    verfify its security. LDAP is a good example - it is probably used to store
    your public keys. Private keys are to be stored on tokens - but this is
    optional. Private keys stored on hard disks are extremely vulnerable, as
    Utimaco research three years ago proved. Or you can go without a keypair for
    the use - SSL can live without it. But than the only certanty you offer is
    to the client, that knows which server he/she is connecting to.

    It uses 128 bit SSL with PKI and tunnels SMB shared drives. It also claims
    that you can have a mixed bag of full PKI for netwrok users, and password
    only for Extranet. This may be possible, but it means that you have to do a
    full PKI implementation, and give access to systems in the network and in a
    DMZ - well, at least I hope the extranet is in the DMZ - to separate NetBios
    from real traffic. This is possible, but it might be a bit complex. Most
    companies that have tried doing a full PKI found out it was NOT simple at
    all, and that it has taken years, without any or tangible RoI. The actual
    management of the certificates also tends be a nightmare to admins.

    The support for *ANY* browser with some use (not absolutely necessary
    thought) for ActiveX brings several issues to light. First - the PKI and SSL
    support in browsers varies. IE up to somewhere in IE6 is not capable of
    doing chain validation for key revocation, effectively disabling the users
    ability to check for disabled keys. Doesn't the system mind?
    This might pose some real problems. Secondly, on topic of IE, what security
    zone settings will be necessary to use the level of functionality? Users
    will probably want to connect to the Internet as well, so the setting must
    be strict.If there are conflicts in this area, support calls will be
    rampant.

    In order to support WfW and Nt4, you cannot TCP/IP without the netbios
    helpers. Many features in the brochure simply cannot be supplied without
    some middleware, like terminal emulation in the browser. This is usually
    very costly, allthough some solutions are very simple to use. You'll have to
    use their webifyers as middleware - if you need anything of the extra
    features.

    Allthough it appears to be a hardware device, it is Intel based, so it is a
    PC to a certain extent, with an OS, somehow. Unfortunatily, I cannot find
    out what kernel it uses, or which OS. You must know this. The box itself
    probably loads the webifyers, turning it into a SNA gateway or whatever.
    This means that since it is a SPOF, this is MUSTHAVE info.

    Judging the low-depth info the maker supplies, I must completely agree with
    your distrust - it basically is an oversimplified sales pitch, but if the
    claims are true, it will supply you with a Plug and Play PKI and LDAP, w/o
    setting up user accounts, access, authorisation rules, network zoning,
    certificate rules and - policies.... Not likely, but if it is true and it is
    safe, thousands of propheads have been wrong for years, and all the woes of
    our work have simply vanished. Quoting a Yankee group report is usually a
    bad sign, IMHO.

    good luck - you'll need it

    Yossarian

    ----- Original Message -----
    From: <john.smith@minolta-qms.com>
    To: <firewall-wizards@honor.icsalabs.com>
    Sent: Friday, February 14, 2003 5:37 PM
    Subject: [fw-wiz] FirePass questions

    > Greetings Everyone,
    >
    > I've searched through the 2002 and 2003 Bugtraq, Firewall Wizards and VPN
    lists and not come up with anything.
    >
    > A group within our company is looking at the FirePass appliance
    (www.uroam.com). The appliance appears to work by punching a hole through
    your firewall and offers a whole range of services.
    >
    > My opinion is that this is a *very* bad thing:
    >
    > a) The group wants connectivity from a large enough number of locations
    that filtering would be next to impossible, if not impossible, therefore we
    would have to allow access to it from the whole world.
    > b) We would eliminate the firewall from the security equation.
    > c) We would be depending on the security of the appliance to protect the
    corporation, and it is designed to *grant* access, not prevent or deny it.
    >
    > My questions:
    >
    > 1) Does anyone have any experience with the FirePass?
    > 2) Is there a way to securely offer access to this box?
    > 3) Am I totally off base in my above assumptions and my analysis of the
    appliance?
    >
    > Chances are I will be required to install this box. In this case the
    middle ground I am shooting for is only granting access to the box via VPN
    (even though they are eliminating 'traditional' VPN from the picture
    according to their literature). We already use VPN, so to me only allowing
    external access through the VPN is a trade-off - our security stance is no
    worse than it was before.
    >
    > Thanks for all your help.
    >
    > js
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



    Relevant Pages

    • Re: OpenSSH Certkey (PKI)
      ... keys and authorized keys files). ... PKI gives two methods to deal with this. ... key fingerprints can be blacklisted on the ssh server. ... keys file because in any real deployment you are GOING to have these. ...
      (freebsd-current)
    • Re: PKI: the end
      ... that one of the keys is consistently kept private and the other ... How does PKI infer 3-factor? ... What's with the "business process" terminology? ... > case of domain name SSL certificates, ...
      (sci.crypt)
    • [Full-disclosure] R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities
      ... The Accellion File Transfer Appliance, prior to version FTA_8_0_562, ... Message Routing Daemon Default Encryption Keys ... This vulnerability was discovered by HD Moore ...
      (Full-Disclosure)
    • Re: Zfone security
      ... PKI ... derived from the DH secret for authentication - presumably you racognise ... caller's voice, ar at least the voice used for the authentication is the ... keys, or even long term keys with added entropy in distillation. ...
      (sci.crypt)
    • Re: Encrypted emails
      ... Depending on the size of the organization, developing a PKI ... infrastructure should not be an unmanageable "nightmare". ... additional keys or trusts. ... > Are companies using an encryption software that will ...
      (Security-Basics)