Firewall Wizards mailing list archives

RE: FW-1 technical strength

From: "Stout, Bill" <StoutB () pios com>
Date: Mon, 28 Dec 1998 14:16:56 -0500


I have a few bones about it.  I believe most are addressable by tinkering
with it more.

1.      It's not designed to do applications filtering, so once a session is
established that looks O.K., that channel is wide open to pass any attack
commands or binaries.  Note that proxies can be added and custom pattern
matching filtering can be added (more work) but proxies/content filtering
are not part of the design, it's a session box.

2.      It's easy to misconfigure.  Most sites I visit with it are
broadcasting or internally responding to external SNMP requests.  Often
these attempts to respond result in internal SNMP broadcast storms.  Also
SNMP port of the firewall itself is usually open to external 'public' (a
poorly documented default value that was fixed).

3.      At one web service bureau, unserviced requests overwhelmed the
filter tables, causing the firewall to lock up, requiring hard reboot every
two to four hours.

4.      Some NT systems apparently had memory leaks, locked up, and required
occasional reboot.

5.      Poor SMTP spooling mechanism.  Sometimes it gets jammed or crashes,
and restarting loses incoming messages.  Mail  flood attacks crash FW-1.
Some lost messages were important to either receipient or sender in the
cases I've seen.

6.      Tough time doing large FTP sessions through it, FTP transfers would
often die.      

7.      It allows stealth scanning of the internal network since FW response
for existing nodes differs from non-existent nodes.

8.      It was going through qualification for use at U.S. government sites
since it had some NSA protocol support, however FW-1 is made in Israel which
is an occasional ally, but is not a 'trustable entity' according to U.S.
Foreign Ownership, Control or Influence (F.O.C.I.) rules.  This was mainly a
political/security issue, above the heads and out of the hands and realm of
most corporate security folk.  A thorough review of FW-1 was posted at the
NSA X31 group/MITRE site; http://mitten.ie.org/, unfortunately shortly after
the FW-1 report was released, the entire site disappeared.  

Bill Stout
__________
Y2K will be big story of '99:
12/11/98 - U.N. suddenly fears Y2K domino effect
http://www.un.org/News/Press/docs/1998/19981211.pi1106.html
12/24/98 - Federal government plans for Y2K crisis
http://detnews.com/1998/technology/9812/24/12240168.htm

Current thread:

FW-1 technical strength Philip R. Moyer (Dec 18)
- <Possible follow-ups>
- Re: FW-1 technical strength Ryan Russell (Dec 22)
  - Re: FW-1 technical strength Darren Reed (Dec 26)
    - Re: FW-1 technical strength jgalvin (Dec 28)
    - Re: FW-1 technical strength cbrenton (Dec 28)
    - Re: FW-1 technical strength Kevin Steves (Dec 28)
- RE: FW-1 technical strength Stout, Bill (Dec 29)