Re: [fw-wiz] FirePass questions
From: Ben Nagy (ben@iagu.net)
Date: 02/18/03
- Previous message: Luca Berra: "Re: [fw-wiz] help..."
- In reply to: john.smith@minolta-qms.com: "[fw-wiz] FirePass questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ben Nagy" <ben@iagu.net> To: <firewall-wizards@honor.icsalabs.com>, <john.smith@minolta-qms.com> Date: Tue, 18 Feb 2003 10:03:18 -0000
----- Original Message -----
From: <john.smith@minolta-qms.com>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Friday, February 14, 2003 4:37 PM
Subject: [fw-wiz] FirePass questions
> Greetings Everyone,
>
> I've searched through the 2002 and 2003 Bugtraq, Firewall Wizards and VPN
lists and not come up with anything.
>
> A group within our company is looking at the FirePass appliance
(www.uroam.com). The appliance appears to work by punching a hole through
your firewall and offers a whole range of services.
>
> My opinion is that this is a *very* bad thing:
As opposed to a "standard" VPN solution, which works how, again? ;)
Without the hand-waving and chest thumping parts, it looks like this box
just uses SSL to replace the encrytpy bit of a "normal" VPN and then uses
some web middleware to enable various kinds of access. I think that Citrix
still uses a pretty similar paradigm to enable "secure" thin client
solutions in a browser using java.
I wouldn't worry about the crypto end of things. SSL is an OK protocol,
which is well understood, and nobody is going to crack your 1024 bit server
key. If they do I'll buy you a beer, I promise.
I would agree that quick and dirty enabling of client access out to random
remote devices is a problem, but it's not one that's unique to this
solution - most well thought out VPN solutions consider the concept as well.
(As far as I can tell, that was a total of two solutions worldwide in
FY2003)
The particular, worrying, risks which this genre of solutions add to the mix
are bad browsers and hostile server attacks based on poor handling of
server-certs in a number of ways. These are pretty nasty risks, and
yossarian's comments in those areas seem sensible to me.
So, in short, I agree that it sounds like an awful can of worms, but I think
that focused analysis of where the failings are is more likely to steer you
on the right security path than the general primal monkey-fear reaction.
Having said that...
Ook, ook, this looks like a dodgy-ass box. Run away! Spank own backside!
ben
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Michael Blankenship: "[fw-wiz] Need advice on an Nortel Accelar 750"
- Previous message: Luca Berra: "Re: [fw-wiz] help..."
- In reply to: john.smith@minolta-qms.com: "[fw-wiz] FirePass questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
