Firewall Wizards mailing list archives
Re: Ports 256,257,258 open on FW-1
From: Neil Buckley <nbuckley () wsi com>
Date: Wed, 30 Dec 1998 10:13:34 -0500
Stefan, I agree 100% with you that the Nokia's limited OS apps and binaries is a major plus when comparing it to a general purpose OS. It does still contain exploitable binaries, apps, and processes that can become increasingly visible in a high availability deployment utilizing dynamic routing protocols. To clarify my statement: My perspective on the Nokia platform was relative to the issues in the advisory surrounding a FW-1 install, and that by moving to a platform such as Nokia you were not going to see those issues go away. IMHO: I would not want to see the Nokia platform become the default platform for FW-1 because it's heralded as a "hardened OS", I think this would lull the uneducated admin into thinking that if they purchase FW-1 on the Nokia platform that they now have nothing to be concerned about. --Neil "Moser, Stefan" wrote:
Neil, I don't agree with your statement that 'the nokia platform has all the same security issues that are inherent in the other platforms that checkpoint runs on'. It sure isn't perfect, but at least it doesn't ship with out of date sendmail and bind binaries, dodgy hosts.equiv files, inet.d entries and network daemons of dubiuos virtue that are started by default, questionable setuid permissions, unused logins, leaky X servers and various other, mostly well known, security snafus. I won't even start rambling about NT. Given enough talent and time, you can harden any given OS platform to the point of the Nokia box, possibly even beyond - however, both talent and time seem to be rather precious commodities these days. At the end of the day I do think that the Nokia box, albeit not perfect, does compare favorably to a general purpose machine as far a platform security goes. It takes considerably less resources to get to a - for most people - acceptable level. I'd define acceptable here as better than the majority of firewall installations I've seen. However, speaking of firewalls, the IP400 is afflicted by the same default settings as the other platforms. -Stefan-----Original Message----- From: Neil Buckley [mailto:nbuckley () wsi com] Sent: Monday, December 28, 1998 3:27 PM To: jgalvin () cs loyola edu Cc: Wayne Miyamoto; firewall-wizards () nfr net Subject: Re: Ports 256,257,258 open on FW-1 Hi All, Since there was an official security advisory issued, that would mean to me that someone noticed a rising trend in exploits coming from these misconfigured firewalls. If that is true then awareness needed to be raised, I.E.. the public needed to be educated. If the information was widely known then the administrators configuring these firewalls had no idea of the compromising position they placed themselves in when they left these services available and again the public needed to be educated. The painful truth is that if your going to make a security product that ANYONE can configure with the click of the mouse it should be secure "Out of the Box", because eventually someone with little to no experience will be charged with getting it setup and unless you have been working in the security arena for a while or happen to subscribe to mailing lists like this one, you would miss the ramification and liability of your configuration selections. So, the Advisory in question may not have stated anything new, but it did raise awareness and possibly reached an uneducated administrator, which I believe is a "good thing" and should continue with any security product or OS. --Neil PS. The nokia platform has all the same security issues that are inherent in the other platforms that checkpoint runs on. jgalvin () cs loyola edu wrote:Jenn: Very few FW vendors discuss much about how to harden theOS running theFW. The Checkpoint SysAdm course covers mostly how tomanage FWs andpolicies, not much on OS configs. One of the best ways to verify your OSconfig and FWis to run a good scanner against it. I always run an "as designed"scan, thenharden down the FW/OS in conjunction with the customer policy. It helpstake guess workout and add consistency to the FW design.Issueing a security advisory on a default setting is not adiscussion ofsecurity or OS hardening, it's a misrepresentation of widely knowninformation.The reason OS configs and hardening is not coveredin a Checkpointtraining class is that Firewall-1 is a softwarepackage. Checkpoint doesissue it as a firewall, true, but it is common knowledge that,unless you buy adedicated hardware platform, like Nokia, most ofthe defaultsettings on your workstation (which are also widely knowninformation) willbe a problem from a security standpoint. Should we next issue a security advisory for all the default settings on an out-of-box install for Solaris, likeNT? How aboutdefault settings in general? A security advisory is meant for a loophole in apackage that issupposed to NOT do what the advisory states. Checkpoint Firewall-1 has the capability to either reject oraccept the typesof connections specified in the Properties window,depending onthe user preference. So the security advisory inquestion is onlya misrepresentation of widely known information. Regards, Jenn
Current thread:
- Re: Ports 256,257,258 open on FW-1 Neil Buckley (Jan 04)