RES: ISA firewall
From: Romulo Moacyr Cholewa (rmc@rmc.eti.br)Date: 09/09/02
- Previous message: sigghie@ecs.equicom.com: "CODE RED VIRUS ATTACK ON SEPT 2002"
- In reply to: Daniel R. Miessler: "RE: ISA firewall"
- Next in thread: Curt Rozeboom: "RE: ISA firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Romulo Moacyr Cholewa" <rmc@rmc.eti.br> To: <security-basics@securityfocus.com> Date: Sun, 8 Sep 2002 23:18:10 -0300
IMHO,
If we want to judge ISA as a firewall product (or if you want to judge
any product) you must:
1. define the scope of the product
2. based on that scope, analyze if it does met the proposed features
3. based on the success or failure to comploy with the proposed
features, compare with other products (and please don't forget to run
pass 1 and 2 with the other products)
What people usually do:
Windows ? Ah, I won't run it, I run a linux/UNIX/*NIX solution. Let's
face it: generally, most of the defaced sites that run Windows (or even
Linux) were compromised by a security hole that was identified days ago,
weeks ago, or even years ago (remember nimda ?)
This is an administrative flaw, not a software one. Ok, Windows has
flaws, so does every single bit of line of code out there. There are no
flawless security related software. This MUST be the starting point of
every security admin.
So, a customer wants/needs to run a solution based on the
SuperUltraNitro Security Firewall, developed by a company named
Wearethebest Inc. ? Ok, no problem. The security specialist needs to
enumerate it's flaws, caveats, problems, features, and make the best of
it, no matter if you "like" it or not. So be it.
The security community must stop bashing Microsoft because of the flame
war between MS and other companies. I do have an OS that I fell
confortable with, but the fact is, there are lots of servers around
running MS products, and we won't solve the problem by telling everybody
"do not run MS products". We need to focus that because I don't fell
good running products of a particular company won't solve it's security
issues.
And talking about numbers, there are so much flaws on Windows as in any
version of any software out there. But some of that flaws made their way
to the news faster. Don't be fooled by security sites that advertise MS
security flaws.
I was hovering over the Securiteam advisory list, and want to quote some
of the most recent security issues:
WebServer 4 Everyone Directory Traversal Bug
Multiple Vulnerabilities at Canada.com
Remotely Exploitable Buffer Overflow in PGP
KSTAT (and Maybe Others) Bypass (Phantasmagoria)
Zero Width GIF (Exploit)
PHP header() CRLF Injection
Granite Software ZMerge Administration Database Insecure Default ACLs
NETGEAR FM114P URL Filter Bypassing Vulnerability
This was a 2-day summary of 1 security list (today and yesterday).
Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.
"Facts do not cease to exist because they are
ignored." -- Aldous Huxley
]-----Mensagem original-----
]De: Daniel R. Miessler [mailto:danielrm26@hotmail.com]
]Enviada em: sábado, 7 de setembro de 2002 06:04
]Para: 'Chris Norris'; security-basics@securityfocus.com
]Assunto: RE: ISA firewall
]
]
]> By the way Daniel, I enjoyed your balanced review of ISA at
]this page:
]> http://cert.uni-stuttgart.de/archive/focus-ms/2002/08/msg00027.html
]
]Well, since that wasn't really a balanced review, and you seem
]to be supporting ISA as a security product, I am going to have
]to assume that was a sarcastic remark. :)
]
]Honestly, man, I am not into flaming products just for the
]sake of doing so. I like many things about MS products. XP
]is great, Outlook is top notch (when patched), and aside from
]IIS, the 2000 Server products are rock solid. I don't bash
]products for no reason.
]
]I was HIGHLY enthused about ISA server when I installed it and
]started playing with it. In fact, it was myself and a buddy
]of mine (both of us MCSE by the way). We got through the
]install, which is bad news to any security engineer, and
]started messing with the product. I was in contact with some
]guy who was evidently something of an authority on ISA and I
]was asking him why the IDS didn't work and why many of the
]ports were open by default. He essentially told me that these
]were features of ISA. When I compared this with a Linux
]solution he basically threw up his hands and said didn't play
]with that crazy Linux stuff. He was honestly scared of *nix,
]man, and that doesn't bode well for my respect for his
]security skills. I can see not being versed, but to be scared
]is just not cool.
]
]I heard someone else in this 'thread' mention that it isn't so
]much about the software and more about the configuration. I
]can agree with that to some extent, but you have to realize
]that some starting points are better than other. Windows
]2000, I would argue, is not one of the better ones. Put it
]this way, if Windows 98 came out with a firewall module I
]wouldn't be rushing to get a copy. The software DOES matter.
]
]Again, I will make the comparison to Exchange. Who has used
]it? I have. It is an awesome product...when it works. It is
]full of features that I would love to use on any MTA, but I am
]not willing to loose stability to gain those features. I ran
]the product for a while and all of a sudden the thing would
]just stop sending mail. It is sending fine one minute, then
]suddenly it wouldn't. I'll give you three guesses as to what
]fixed the problem every time....(it rhymes with leeboot) This
]type of thing happened with ISA as well. The ISA guru I was
]talking to would say things to me like, "Yeah, that does that
]sometimes...you may want to reboot, it usually goes away." I
]shouldn't have to hear anything along those lines when
]discussing a security product.
]
]Bottom line...I like many MS products and I like the company.
]I am not some sort of *nix zealot. I simply prefer a clean,
]crisp, solution when it comes to offering services like mail,
]and definitely when looking for a security product. I can
]completely install a Linux-based security solution probably
]4-6 times before you can even install and patch the 2000 box
]that you are putting your ISA Server on. That should tell you
]something. I can also SSH to my box and edit text based
]config files to make the box do exactly what I want it to do.
]This is control, man, and it is the reason that *nix solutions
]are so coveted by security professionals.
]
]So again, I am not into flaming and I am not into bashing
]products. I am simply telling you that there is a possibly
]that a re-evaluation of your loyalty to ISA is in order.
]Check into the *nix solutions. I think you will find they are
]quite strong.
]
]--danielrm26
]
]---
]Incoming mail is certified Virus Free.
]Checked by AVG anti-virus system (http://www.grisoft.com).
]Version: 6.0.385 / Virus Database: 217 - Release Date: 4/9/2002
]
]
- Previous message: sigghie@ecs.equicom.com: "CODE RED VIRUS ATTACK ON SEPT 2002"
- In reply to: Daniel R. Miessler: "RE: ISA firewall"
- Next in thread: Curt Rozeboom: "RE: ISA firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
