Re: [fw-wiz] Firewalls that generate new packets..
- From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2007 22:17:43 -0600
Tina Bird wrote:
i firmly believe that the firewall an admin finds easiest will always be the
first one she used, like most other apps and tools. i'm therefore grateful
that i picked a system that did thing like provide daily reports *out of the
box* on traffic levels, top ten dests, and that sort of thing. that let me
easily verify that the traffic going through the firewall agreed with what i
had configured in the policy.
You mean the marketing PR didn't woo you with free lunches, caps, mousepads,
etc., into making you understand how their parallel vector enhanced,
multi-versed, dual-homing, deep distributed packet defibrulator is the best
thing since Ramen Noodles? Best gizmo I ever got from a vendor was a pro
lock picking set.
discovered that checkpoint and the like **allowed network connections
directly between the internal and the untrusted networks** after a few rules
were applied. THEY MISSED THE WHOLE POINT!
A firewall nowadays as far as I can tell (right now I'm only playing with
Netscreen, Checkpoint, Pix, Stonegate, Sonicwall) is only as good as any
admin behind it. The rest is all fluff. Nothing I can't do with out of the
box downloads from any BSD or Linux site with some tweaking to make it look
pretty if one were to really get down to the nitty gritty.
On the flip side of this whole argument right here... Coming from an attack
vector, I've pretty much shut down (local and remotely) three of the five
firewalls I mentioned with a DoS tool I wrote that is being looked at by 2
of the five mentioned. Isn't that ironic... Here they are protecting, yet
here they are all vulnerable at the bottom of it all. I cannot, will not
post any coding probably ever because I do not believe there are fixes
(legacy TCP thing I believe). PSIRT has tinkered with it for the past 60+
days without a resolution. The other vendor solely sent a generic "eye eye
Spock we will look at it!" but my guess is they'd rather spend money on
inviting us all to continental breakfast and a movie (hey you got that
too!)
To be fair to firewall vendors about this attack though, it pretty much
shuts down anything connected period, from a DSL --> DS3 goodbye. So I
guess it would be fair to state that as opposed to seeming as if I'm
pointing a finger at the entire firewall industry.
i've never understood how *marketing* could obfuscate that *simple* fact --
Never underestimate the power of marketing.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)
echo c2lsQGluZmlsdHJhdGVkLm5ldAo=|\
python -c "import sys; print sys.stdin.read().decode('base64')"
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Darren Reed
- Re: [fw-wiz] Firewalls that generate new packets..
- References:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Marcus J. Ranum
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Tina Bird
- Re: [fw-wiz] Firewalls that generate new packets..
- Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Index(es):
Relevant Pages
|
