Re:RE : suggestions on a good firewall

From: Bourque Daniel (Daniel.Bourque_at_loto-quebec.com)
Date: 06/24/03

  • Next message: chris: "Re: Broadband usage statistics"
    To: "'ivan.coric@workcoverqld.com.au'" <ivan.coric@workcoverqld.com.au>, "'Willi.Web@mail4web.de'" <Willi.Web@mail4web.de>, "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>, "'David.Ellis@unicam.com'" <David.Ellis@unicam.com>
    Date: Mon, 23 Jun 2003 22:04:41 -0400
    
    

    I was just responding to the example you use. I don't need INSPECT code to
    protect my mail server and yes, I use both products and yes again, both are
    good.

    --------------------------
    Daniel Bourque
    BlackBerry

    -----Original Message-----
    From: Ivan Coric <ivan.coric@workcoverqld.com.au>
    To: Daniel.Bourque@loto-quebec.com <Daniel.Bourque@loto-quebec.com>;
    Willi.Web@mail4web.de <Willi.Web@mail4web.de>;
    security-basics@securityfocus.com <security-basics@securityfocus.com>;
    David.Ellis@unicam.com <David.Ellis@unicam.com>;
    ivan.coric@workcoverqld.com.au <ivan.coric@workcoverqld.com.au>
    Sent: Mon Jun 23 20:33:07 2003
    Subject: Re: RE : suggestions on a good firewall

    Daniel,
    And? if you bothered to look at the thread, you would see it pertains
    to whether the PIX actual inspects application data, not whether
    CheckPoint does!

    The PIX also does Java applet filtering, ActiveX blocking and can work
    with a url-filtering server. For this to wok in must be able to look
    into the packets, eh Chris?

    I am not saying that the PIX is better than CheckPoint, nor that
    CheckPoint is better than the PIX, rather explaining that the PIX does
    actually do stateful inspection. I use CheckPoint, PIX, Netscreen and
    iptables here, and IMHO they are all great products.

    cheers
    Ivan

    >>> Bourque Daniel <Daniel.Bourque@loto-quebec.com> 06/24/03 02:45am
    >>>
    Correct me if I am wrong but with Checkpoint, the smtp security server
    allow
    you to terminate the smtp session at the fw that will in turn send it
    to
    your smtp mail server.

    If you telnet to port 25, it's the fw talking back.

    -----Message d'origine-----
    De : Ivan Coric [mailto:ivan.coric@workcoverqld.com.au]
    Envoyé : 22 juin, 2003 19:24
    À : Willi.Web@mail4web.de; security-basics@securityfocus.com;
    David.Ellis@unicam.com; ivan.coric@workcoverqld.com.au
    Objet : RE: suggestions on a good firewall

    Lets take the SMTP protocol for example, fixup SMTP enables the mail
    guard
    feature which only lets mail servers receive the RFC 821 commands of
    HELO,
    MAIL, RCPT, DATA, RSET, NOOP and QUIT. All other commends are
    rejected.

    If you want to do a similar thing in CheckPoint you will need to
    provide the
    INSPECT code to do it.

    I can netcat through my CheckPoint FW to my mail servers, web servers
    etc.
    Even do a HEAD request to get a banner of the web server and the CP FW
    does
    it happily.

    cheers
    Ivan

    >>> Willi Web <Willi.Web@mail4web.de> 06/20/03 10:25pm >>>
    The FIXUP protocol is there to correct irregular behavior in normal
    protocols. For example, the FTP Fixup allows traffic in on port 20 when
    the
    traffic originated on 21. The SMTP fixup disallows certain SMTP
    commands
    that could be used for nefarious purposes. The PIX cannot shun traffic
    based
    on what the FIXUP protocols detect. There is no dynamic ACL creation
    possible.

    The PIX is not a true application level firewall. I can send NETCAT
    traffic
    over HTTP and the PIX will never know. Whereas the Checkpoints and
    Raptors
    can detect anomalies in traffic, and act on them.

    --Chris

    -----Original Message-----
    From: Ivan Coric [mailto:ivan.coric@workcoverqld.com.au]
    Sent: Monday, May 26, 2003 7:42 PM
    To: security-basics@securityfocus.com; Christopher Harrington;
    David.Ellis@unicam.com
    Subject: RE: suggestions on a good firewall

    HI Chris,
    I beg to differ, Cisco has a command called "fixup", which is used to
    set
    application inspection.

    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configura

    tion_guide_chapter09186a00800eb727.html#wp1063233

    cheers

    Ivan Coric
    IT Technical Security Officer
    Information Technology
    WorkCover Queensland
    Ph: (07) 30066414 Fax: (07) 30066424
    Email: ivan.coric@workcoverqld.com.au

    >>> "Christopher Harrington" <charrington@syseng.com> 05/25/03 12:51pm
    >>>
    Ok...I agree that they 2 are different firewalls. Cisco does not do
    application level inspection, Checkpoint does for example.

    NG fp3 came out fall of 2002 (about ??), about the same time as PIX
    6.2. We
    are tied :), the PIX has had 2 vulns since version 6.2 came out.

    BTW I never said I disliked Checkpoint, to the contrary actually. I
    just
    take exceptions to incorrect statements.

    --Chris

    -----Original Message-----
    From: David Ellis [mailto:David.Ellis@unicam.com]
    Sent: Saturday, May 24, 2003 8:53 PM
    To: Christopher Harrington; security-basics@securityfocus.com
    Subject: RE: suggestions on a good firewall

    I am talking about the new version of checkpoint, not 4.1 or 4.0. I am
    talking about NGFP3. Checkpoint doesn't even support the earlier
    versions
    anymore. And Cisco's Idea of stateful packet inspection is actually
    reverse
    engineered Checkpoint. Checkpoint developed it and even have a patent
    on
    stateful packet inspection technology. They even tried to bring Cisco
    to
    court for saying they were stateful packet inspection firewalls but
    Cisco
    won due to the way they worded it. Also OPSEC standards (Open Platform
    for
    Security) Is brought to you by Checkpoint Systems. I love Checkpoint
    firewalls as you can see. :-)
    They also have a secure platform which can load on a system which runs
    on a
    stripped down linux and you can even go with nokia appliance which
    comes
    with Checkpoint NG. I personally think Cisco should stay with routers
    and
    switches (which they are great at).

    Then look at the stats after you look up checkpoint NG fp3

    # of vulns on PIX ---> 16
    # of vulns on Checkpoint ---> 2

    Thanks for listening :-)

    -----Original Message-----
    From: Christopher Harrington [mailto:charrington@syseng.com]
    Sent: Friday, May 23, 2003 1:14 PM
    To: security-basics@securityfocus.com
    Subject: RE: suggestions on a good firewall

    Ahhh...maybe you should actually look at bugtraq before you open
    yourself up
    like that.

    # of vulns on PIX ---> 16
    # of vulns on Checkpoint ---> 30

    "A new vulnerability is found every other week"...unfounded comments
    like
    that do not help.

    --Chris

    -----Original Message-----
    From: David Ellis [mailto:David.Ellis@unicam.com]
    Sent: Thursday, May 22, 2003 12:34 PM
    To: Potter, Tim; security-basics@securityfocus.com
    Subject: RE: suggestions on a good firewall

    Actually the checkpoint implied rules are not actually hidden. You
    just
    enable and disable through global properties, and I prefer checkpoint
    over
    pix cause just look at the bugtraq record on pix. A new vulnerability
    is
    found every other week

    -----Original Message-----
    From: Potter, Tim [mailto:Tim.Potter@clarkconsulting.com]
    Sent: Wednesday, May 21, 2003 12:07 PM
    To: security-basics@securityfocus.com
    Subject: RE: suggestions on a good firewall

    Actually the PIX does have a "pretty" graphical interface. I'm not
    fond of
    it for many tasks, but the "PDM" can be good for someone newer to
    managing a
    PIX.

    Also, for a cheaper hardware-based application firewall I would go with
    the
    Watchguard. My application firewall of choice would be Sidewinder or
    Checkpoint, but you can't beat the cost of the Watchguard. Older
    versions
    of the firmware required a reboot for every change, but they have
    gotten
    much better with the newest firmware.

    -Tim

    -----Original Message-----
    From: Mark Ng [mailto:laptopalias1-mark@informationintelligence.net]
    Sent: Tuesday, May 20, 2003 11:56 AM
    To: salgak@speakeasy.net; security-basics@securityfocus.com
    Subject: RE: suggestions on a good firewall

    >
    > Agreed.
    >
    > A Windows box, properly locked down, can be a reliable firewall.

    There's an element of truth to that - but I'm not sure I'd want to be
    the
    person locking it down or keeping up to date with patches ;). I also
    wouldn't recommend Windows unless in an HA pair.

    There's also a very strong argument for openbsd and PF too (stability,
    proven track record of security) - however, it's not as manageable as
    some
    other solutions.

    > Locking it down can be a chore, a much easier chore with Win2003
    > server, but still takes some expertise and finesse. I prefer

    I've not yet had any experience with 2k3, so I can't possibly comment.

    > hardware firewalls with a firmware basis, as they're harder to
    > exploit, but many brands have reliability issues. I'm currently
    > running Checkpoint and Gauntlet on Solaris, but this is a production

    > environment I've inherited.

    If you're in the hardware firewall market, I quite like Netscreen and
    PIX.
    Netscreen had some issues with some software upgrades being a bit buggy
    some
    time recently though iirc, but on the whole, they're fairly solid
    firewalls
    that are easy to administer. PIX's of course don't have the pretty
    graphical interface, but are solid firewalls. I don't like Checkpoint,
    any
    firewall that comes by default with "Hidden Implied Rules" doesn't wash
    with
    me (is this still the case with newer versions of Checkpoint ?)

    >
    > For a good, relatively inexpensive firewall, I'd recommend the
    > Linux-Mandrake firewall solution, running on commodity Intel
    hardware.

    > Simple to set up, fairly easy to run, easy to maintain.

    Smoothwall definitely has its merits in this arena - and by extension
    I'd
    imagine IPcop does too.

    > 2. What can my sysadmin handle ? A Junior MCSE handed a

    To be honest, I don't really think an MCSE with small amounts of job
    experience should ever be handed main security responsibility.
    There's
    merit to outsourcing security functions in this event if you're too
    small to
    justify full time security staff or experienced systems administrators
    with
    security experience. Any firewall configured badly is a bad firewall,
    be it
    IPcop, Smoothwall, OpenBSD/PF , Checkpoint or whatever.

    Regards,

    Mark

    ------------------------------------------------------------------------

    ---
    Thinking About Security Training? You Can't Afford Not To!
    Vigilar's industry leading curriculum includes:  Security +, Check
    Point, Hacking & Assessment, Cisco Security, Wireless Security & more!
    Register
    Now! --UP TO 30% off classes in select cities-- 
    http://www.securityfocus.com/Vigilar-security-basics 
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Thinking About Security Training? You Can't Afford Not To!
    Vigilar's industry leading curriculum includes:  Security +, Check
    Point, Hacking & Assessment, Cisco Security, Wireless Security & more!
    Register
    Now! --UP TO 30% off classes in select cities-- 
    http://www.securityfocus.com/Vigilar-security-basics 
    ------------------------------------------------------------------------
    ----
    ************************************************************************
    **************************
    ** eSafe-portsmouth scanned this email for viruses, vandals and
    malicious
    content **
    ************************************************************************
    **************************
    ------------------------------------------------------------------------
    ---
    Thinking About Security Training? You Can't Afford Not To!
    Vigilar's industry leading curriculum includes:  Security +, Check
    Point, Hacking & Assessment, Cisco Security, Wireless Security & more!
    Register
    Now! --UP TO 30% off classes in select cities-- 
    http://www.securityfocus.com/Vigilar-security-basics 
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Thinking About Security Training? You Can't Afford Not To!
    Vigilar's industry leading curriculum includes:  Security +, Check
    Point, Hacking & Assessment, Cisco Security, Wireless Security & more!
    Register
    Now! --UP TO 30% off classes in select cities-- 
    http://www.securityfocus.com/Vigilar-security-basics 
    ------------------------------------------------------------------------
    ----
    ************************************************************************
    **************************
    ** eSafe-portsmouth scanned this email for viruses, vandals and
    malicious
    content **
    ************************************************************************
    **************************
    ------------------------------------------------------------------------
    ---
    Thinking About Security Training? You Can't Afford Not To!
    Vigilar's industry leading curriculum includes:  Security +, Check
    Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more!
    Register
    Now! --UP TO 30% off classes in select cities-- 
    http://www.securityfocus.com/Vigilar-security-basics 
    ------------------------------------------------------------------------
    ----
    ************************************************************************
    ***
    Messages included in this e-mail and any of its attachments are those
    of the
    author unless specifically stated to represent WorkCover Queensland.
    The
    contents of this message are to be used for the intended purpose only
    and
    are to be kept confidential at all times. This message may contain
    privileged information directed only to the intended addressee/s.
    Accidental
    receipt of this information should be deleted promptly and the sender
    notified. This e-mail has been scanned by Sophos for known viruses.
    However,
    no warranty nor liability is implied in this respect.
    **********************************************************************
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ***************************************************************************
    Messages included in this e-mail and any of its attachments are those
    of the
    author unless specifically stated to represent WorkCover Queensland.
    The
    contents of this message are to be used for the intended purpose only
    and
    are to be kept confidential at all times. This message may contain
    privileged information directed only to the intended addressee/s.
    Accidental
    receipt of this information should be deleted promptly and the sender
    notified. This e-mail has been scanned by Sophos for known viruses.
    However,
    no warranty nor liability is implied in this respect.
    **********************************************************************
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while
    InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access
    in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm 
    ----------------------------------------------------------------------------
    ***************************************************************************
    Messages included in this e-mail and any of its attachments are those
    of the author unless specifically stated to represent WorkCover Queensland.
    The contents of this message are to be used for the intended purpose only
    and are to be kept confidential at all times.
    This message may contain privileged information directed only to the
    intended addressee/s. Accidental receipt of this information should be
    deleted promptly and the sender notified.
    This e-mail has been scanned by Sophos for known viruses.
    However, no warranty nor liability is implied in this respect.
    **********************************************************************
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: chris: "Re: Broadband usage statistics"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Recycler security issues on IIS server
      ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
      (microsoft.public.inetserver.iis.security)
    • RE: suggestions on a good firewall
      ... Cisco does not do ... BTW I never said I disliked Checkpoint, ... suggestions on a good firewall ... standards (Open Platform for Security) Is brought to you by Checkpoint ...
      (Security-Basics)