Re: [fw-wiz] Firewalls that generate new packets..

Tina Bird wrote:

i firmly believe that the firewall an admin finds easiest will always be the
first one she used, like most other apps and tools. i'm therefore grateful
that i picked a system that did thing like provide daily reports *out of the
box* on traffic levels, top ten dests, and that sort of thing. that let me
easily verify that the traffic going through the firewall agreed with what i
had configured in the policy.

You mean the marketing PR didn't woo you with free lunches, caps, mousepads,
etc., into making you understand how their parallel vector enhanced,
multi-versed, dual-homing, deep distributed packet defibrulator is the best
thing since Ramen Noodles? Best gizmo I ever got from a vendor was a pro
lock picking set.

discovered that checkpoint and the like **allowed network connections
directly between the internal and the untrusted networks** after a few rules

A firewall nowadays as far as I can tell (right now I'm only playing with
Netscreen, Checkpoint, Pix, Stonegate, Sonicwall) is only as good as any
admin behind it. The rest is all fluff. Nothing I can't do with out of the
box downloads from any BSD or Linux site with some tweaking to make it look
pretty if one were to really get down to the nitty gritty.

On the flip side of this whole argument right here... Coming from an attack
vector, I've pretty much shut down (local and remotely) three of the five
firewalls I mentioned with a DoS tool I wrote that is being looked at by 2
of the five mentioned. Isn't that ironic... Here they are protecting, yet
here they are all vulnerable at the bottom of it all. I cannot, will not
post any coding probably ever because I do not believe there are fixes
(legacy TCP thing I believe). PSIRT has tinkered with it for the past 60+
days without a resolution. The other vendor solely sent a generic "eye eye
Spock we will look at it!" but my guess is they'd rather spend money on
inviting us all to continental breakfast and a movie (hey you got that

To be fair to firewall vendors about this attack though, it pretty much
shuts down anything connected period, from a DSL --> DS3 goodbye. So I
guess it would be fair to state that as opposed to seeming as if I'm
pointing a finger at the entire firewall industry.

i've never understood how *marketing* could obfuscate that *simple* fact --

Never underestimate the power of marketing.

J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

echo c2lsQGluZmlsdHJhdGVkLm5ldAo=|\
python -c "import sys; print'base64')"

firewall-wizards mailing list

Relevant Pages

  • Re: Firewalls (was Re: IDS evaluations procedures)
    ... > Systems that have integrated firewall. ... I can attack them. ... This is not an attack against you or any other prevention vendor. ... detection or prevention requires accurate attack identification. ...
  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
  • Re: Can I protect myself against network attacks?
    ... > I guess that was one purpose of the attack. ... > had happened if you just used the SP2 firewall which does not warn you ... back, I've seen the firewall crash before my eyes, without warning. ... network attacks, or trojans. ...
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... >>million doesn't change my action of deploying a firewall ONCE. ... They keys can be obtained ... > What I suspect is that you think a special attack will be developed ... the firewall helps protect us. ...