Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AltaVista Firewall97

From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Thomas Bauer)
Date: Mon, 1 Mar 1999 12:07:01 +0100

On Sat, 27 Feb 1999 Roger Baker <baker () DBLHELIX COM> wrote:


I was one of a few beta testers outside Digital for Firewall98.  I
pointed out a year ago this problem in the beta.  Firewall98 was going
to be released with named 4.9.6.  I raised hell, and they shipped 4.9.7
with Firewall98.

[...]

2)  Better yet upgrade to Firewall98 which fixes this problem.  Remember
that older software is more likely to have bugs.  Firewall98 is more
stable than Firewall97.


According to updated information about the BIND problem available at

http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp

Bind 4.9.7 was shipped as part of AltaVista Firewall 98 for DIGITAL UNIX but
inadvertently was not being used. So, after upgrading to Firewall 98 you will
probably have to follow the instructions given on that page to enable the use
of BIND-4.9.7.

One more thing:
IMHO I think that Firewall97 (what about Firewall98 ?)lacks a "linux-style"
interface packet filter. The currently implemented interface packet filter can
only filter packets by their IP source address to prevent IP spoofing attacks.
The next layer is the screend (screening daemon) running on the firewall that
decides whether to forward a packet or redirect it to a proxy server or not
based on IP source/destination address, protocol and source/destination port of
the packet (this corresponds to the forwarding rules on a linux packet filter).
However, unlike the linux packet filter the Firewall97 interface packet filter
can not be used to protect the firewall itself by specifying appropriate input
rules based on IP source/destination address, protocol and source/destination
port. Thus, all the network daemons running on the firewall that are used only
by localhost (e.g. named and some authentication servers on Firewall97) are
unnecessarily potential targets. Maybe I'm a bit paranoid, but I think that in
computer and network security one should not rely on any software to be free of
security relevant bugs.

--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany

PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
Previous By Date Next
Previous By Thread Next

Current thread: