Re: Firewall choice for web hosting
From:Date: 08/02/02
- Next message: : "Re: Upgrade strategy for CP4.1 to NG"
- Previous message: Matthew X. Economou: "Re: Relationship SSH <-> VPN ??"
- In reply to: karl [x y]: "Re: Firewall choice for web hosting"
- Next in thread: karl [x y]: "Re: Firewall choice for web hosting"
- Reply: karl [x y]: "Re: Firewall choice for web hosting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 02 Aug 2002 21:40:55 +0100
I think your definition of flaws may be flawed.
Most of the published Checkpoint "flaws" require a significant degree
of ineptness on the part of the firewall admin, or collusion from
within the protected network to exploit significantly. Checkpoint, on
the other hand have been fairly straight about admitting and more
importantly fixing issues when they are reported.
Checkpoint have issued 6 service packs for Nokia release of
Firewall-1, each one correcting functionality bugs and adding
features, and few (only one that really does anything significant -
SP-3) that fix actually compromises.
The other major "announcements" of flaws (RDP hack and GUI overflow
attack) were issued as hotfixes within a day or two. Both attacks
required poor administration and/or collusion.
Considering the Nokia platform specifically, a properly installed
Nokia IP-series firewall can be closed down to just Port 22 listening
(in RSA Auth mode only) BEFORE the checkpoint software is installed
and configured. Incidentally, this configuration eliminates exposure
to the Apache webserver running the GUI (although the GUI can still be
reached, encrypted without the need for SSL support via the SSH
Port-Forwarding).
Once Checkpoint software is installed, if the device is a management
server (or log server) using the SSH protocol the GUI may be connected
through the encrypted stream without need for any kind of entry in
GUI-clients, making administration very easy yet VERY secure.
If you are Unix familiar, it is possible to create similarly protected
environments on Solaris and Linux based firewall bases, and even Win2k
can be hardened almost to the same point, including the use of OpenSSH
for Windows as a management port.
I find all of this infinitely more acceptable than telnet connections
to a Cisco, and of course the Checkpoint GUI really is streets ahead
of all of its rivals, even though many of us love to complain about it
nonetheless.
At the end of the day, the firewall is simply one piece of the
security jigsaw. You can build the worlds tightest rulebase on the
most patched and hardened operating system and as soon as you allow
Internet connections to a bastion host server, the focus of your
security has been moved and the size of the problem increased.
NetMonkey
=======================================
On Wed, 24 Jul 2002 12:58:41 -0400, "karl [x y]"
<jamescagney90210@excite.com> wrote:
>If you're concerned about number of flaws, I think FW-1 has so far tended to
>have more flaws and patches than other firewalls, before you even consider
>the OS. Again, if you're just concerned about number of bugs and patches,
>running FW-1 on an appliance like Nokia is probably better than running it
>on Windows or *nix.
>
>You could also evaluate Netscreen or a low-end PC running free OpenBSD. One
>advantage to OpenBSD is that there are a lot of options you can afford to
>add to it, like additional network interfaces to create a DMZ, reporting, a
>second identical unit for a contingency plan, local on-site 24x7 support
>from a third party, etc.
>
>
- Next message: : "Re: Upgrade strategy for CP4.1 to NG"
- Previous message: Matthew X. Economou: "Re: Relationship SSH <-> VPN ??"
- In reply to: karl [x y]: "Re: Firewall choice for web hosting"
- Next in thread: karl [x y]: "Re: Firewall choice for web hosting"
- Reply: karl [x y]: "Re: Firewall choice for web hosting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
