Firewall Wizards mailing list archives
WatchGuard Firebox was RE: Question about CyberGuard
From: Mark Teicher <mht () clark net>
Date: Thu, 25 Dec 1997 06:46:03 -0500 (EST)
David, Gary, <edited for brevity> <comments within>
I do know that we have more than a few customers with several thousand users behind a red box.
A thousand users?? What types of activities can the WG box handle with a 1000 users??
For obvious reasons, I'd like to hear about the holes in WG. Do you have specific knowledge of such holes?
Where would you like me to start??
All software products have bugs, and security products have security-related bugs. Though we have tested out pretty well on security tests in various environments (of course, that and a thousand bucks will buy you a copy of Windows NT server).
Hmm, I do not recall seeing a test report on your web page nor a FAQ discussing the various security-related issues with different operating environments??? >
Given our design approach I believe that WG is pretty darned secure.
Design approach???
We run in an extremely stripped-down environment. No shells, no
All the processes on the box run as root, should have been designed to have the box run the applications or services at a lesser privileged account.
network daemons, no way for other user processes to run. The out-of-the-box configuration (after running our wizard) is quite secure (only proxied SMTP and DNS are allowed to the internal network, HTTP and FTP may be allowed to a host on a DMZ network). Unless a
HTTP Proxy ..
user edits the configuration directly with a text editor or allows a busted network service (rsh, rlogin, SNMP, the list is really endless) through the red box, it should stay that way.
I did not see this issue in the manual, about warning the user of running a busted service..
It really is a "stance" issue. Most NT or Unix-based firewalls require that the installer do various nontrivial things (install OS patches, alter system configuration files, et al) to get a secure configuration. WG systems require that the installer do nontrivial things to make the configuration insecure.
Except be aware of the security issues of running a particular service through the firebox. I really think your above statement skipped that installing a firewll or internet security solution is more than just securing an OS, installing patches, altering system config files, et al. It is really understanding the particular environment you are working in, understanding their security issues, writing policy, documenting, having a through understanding of network architecture and the particular solutions available. WatchGuard Technologies Firebox is one of many. Sincerely, Mark H. Teicher
David Bonn VP Engineering, Watchguard Technologies, Inc. > david.bonn () watchguard com
########################################################## 'Turn on, Boot Up, Jack in' #########################################################
Current thread:
- Question about CyberGuard Gibson, Brian (Dec 03)
- Re: Question about CyberGuard Icefox@Home (Dec 23)
- <Possible follow-ups>
- RE: Question about CyberGuard David Bonn (Dec 24)
- WatchGuard Firebox was RE: Question about CyberGuard Mark Teicher (Dec 25)