WatchGuard Firebox was RE: Question about CyberGuard

[Mark Teicher <mht () clark net>]

David, Gary,

<edited for brevity>

<comments within>

> I do know that we have more than a few customers with several thousand
> users behind a red box.

A thousand users??  What types of activities can the WG box handle with a
1000 users??

> For obvious reasons, I'd like to hear about the holes in WG.  Do you
> have specific knowledge of such holes?

Where would you like me to start??


> All software products have bugs, and security products have
> security-related bugs.  Though we have tested out pretty well on
> security tests in various environments (of course, that and a thousand
> bucks will buy you a copy of Windows NT server).

Hmm, I do not recall seeing a test report on your web page nor a FAQ
discussing the various security-related issues with different operating
environments??? > 

> Given our design approach I believe that WG is pretty darned secure.

Design approach???

> We run in an extremely stripped-down environment.  No shells, no
All the processes on the box run as root, should have been designed to
have the box run the applications or services at a lesser privileged
account.


> network daemons, no way for other user processes to run.  The
> out-of-the-box configuration (after running our wizard) is quite
> secure (only proxied SMTP and DNS are allowed to the internal network,
> HTTP and FTP may be allowed to a host on a DMZ network).  Unless a

HTTP Proxy ..

> user edits the configuration directly with a text editor or allows a
> busted network service (rsh, rlogin, SNMP, the list is really endless)
> through the red box, it should stay that way.

I did not see this issue in the manual, about warning the user of running
a busted service..

> It really is a "stance" issue.  Most NT or Unix-based firewalls
> require that the installer do various nontrivial things (install OS
> patches, alter system configuration files, et al) to get a secure
> configuration.  WG systems require that the installer do nontrivial
> things to make the configuration insecure.

Except be aware of the security issues of running a particular service
through the firebox.  I really think your above statement skipped that
installing a firewll or internet security solution is more than just
securing an OS, installing patches, altering system config files, et al.
It is really understanding the particular environment you are working in,
understanding their security issues, writing policy, documenting, having a
through understanding of network architecture and the particular solutions
available.  WatchGuard Technologies Firebox is one of many.

Sincerely,

Mark H. Teicher

> David Bonn
>
> VP Engineering, Watchguard Technologies, Inc. > david.bonn () watchguard com

##########################################################
'Turn on, Boot Up, Jack in'
#########################################################