Re: Ports 256,257,258 open on FW-1

[Neil Buckley <nbuckley () wsi com>]

Stefan,

I agree 100% with you that the Nokia's limited OS apps and binaries is a
major plus when comparing it to a general purpose OS.  It does still contain
exploitable binaries, apps, and processes that can become increasingly
visible in a high availability deployment utilizing dynamic routing
protocols.

To clarify my statement:  My perspective on the Nokia platform was relative
to the issues in the advisory surrounding a FW-1 install, and that by moving
to a platform such as Nokia you were not going to see those issues go away.

IMHO: I would not want to see the Nokia platform become the default platform
for FW-1 because it's heralded as a "hardened OS", I think this would lull
the uneducated admin into thinking that if they purchase FW-1 on the Nokia
platform that they now have nothing to be concerned about.

--Neil

"Moser, Stefan" wrote:

> Neil,
>
> I don't agree with your statement that 'the nokia platform has
> all the same security issues that are inherent in the other
> platforms that  checkpoint runs on'.
>
> It sure isn't perfect, but at least it doesn't ship with
> out of date sendmail and bind binaries, dodgy hosts.equiv
> files, inet.d entries and network daemons of dubiuos virtue
> that are started by default, questionable setuid permissions,
> unused logins, leaky X servers and various other, mostly well
> known, security snafus. I won't even start rambling about NT.
>
> Given enough talent and time, you can harden any given OS platform
> to the point of the Nokia box, possibly even beyond - however, both
> talent and time seem to be rather precious commodities these days.
>
> At the end of the day I do think that the Nokia box, albeit not perfect,
> does compare favorably to a general purpose machine as far a platform
> security goes. It takes considerably less resources to get to a - for
> most people - acceptable level. I'd define acceptable here as better than
> the majority of firewall installations I've seen.
>
> However, speaking of firewalls, the IP400 is afflicted by the
> same default settings as the other platforms.
>
> -Stefan
>
> > -----Original Message-----
> > From: Neil Buckley [mailto:nbuckley () wsi com]
> > Sent: Monday, December 28, 1998 3:27 PM
> > To: jgalvin () cs loyola edu
> > Cc: Wayne Miyamoto; firewall-wizards () nfr net
> > Subject: Re: Ports 256,257,258 open on FW-1
> >
> >
> > Hi All,
> >
> > Since there was an official security advisory issued, that
> > would mean to me that
> > someone noticed a rising trend in exploits coming from these
> > misconfigured
> > firewalls.  If that is true then awareness needed to be
> > raised, I.E..  the public
> > needed to be educated.  If the information was widely known
> > then the administrators
> > configuring these firewalls had no idea of the compromising
> > position they placed
> > themselves in when they left  these services available and
> > again the public needed
> > to be educated.
> >
> > The painful truth is that if your going to make a security
> > product that ANYONE can
> > configure with the click of the mouse it should be secure
> > "Out of the Box", because
> > eventually someone with little to no experience will be
> > charged with getting it
> > setup and unless you have been working in the security arena
> > for a while or happen
> > to subscribe to mailing lists like this one, you would miss
> > the ramification and
> > liability of your configuration selections.  So, the Advisory
> > in question may not
> > have stated anything new, but it did raise awareness and
> > possibly reached an
> > uneducated administrator, which I believe is a "good thing"
> > and should continue with
> > any security product or OS.
> >
> > --Neil
> >
> > PS.  The nokia platform has all the same security issues that
> > are inherent in the
> > other platforms that  checkpoint runs on.
> >
> > jgalvin () cs loyola edu wrote:
> >
> > > > Jenn:
> > > > Very few FW vendors discuss much about how to harden the
> > OS running the
> > > > FW. The Checkpoint SysAdm course covers mostly how to
> > manage FWs and
> > > > policies, not
> > > > much on OS configs. One of the best ways to verify your OS
> > config and FW
> > > > is to run
> > > > a good scanner against it.  I always run an "as designed"
> > scan, then
> > > > harden down the
> > > > FW/OS in conjunction with the customer policy.  It helps
> > take guess work
> > > > out and
> > > > add consistency to the FW design.
> > >
> > >         Issueing
> > >         a security advisory on a default setting is not a
> > discussion of
> > >         security or  OS
> > >         hardening, it's a misrepresentation of widely known
> > information.
> > >         The reason OS configs and hardening is not covered
> > in a Checkpoint
> > >         training class is that Firewall-1 is a software
> > package. Checkpoint does
> > >         issue it as a
> > >         firewall, true, but it is common knowledge that,
> > unless you buy a
> > >         dedicated hardware platform, like Nokia, most of
> > the default
> > >         settings on
> > >         your workstation (which are also widely known
> > information) will
> > >         be a problem from a security standpoint.
> > >
> > >         Should we next issue a security advisory for all the default
> > >         settings on an out-of-box install for Solaris, like
> > NT?  How about
> > >         default settings in general?
> > >
> > >         A security advisory is meant for a loophole in a
> > package that is
> > >         supposed to NOT do what the advisory states.  Checkpoint
> > >         Firewall-1 has the capability to either reject or
> > accept the types
> > >         of connections specified in the Properties window,
> > depending on
> > >         the user preference.  So the security advisory in
> > question is only
> > >         a misrepresentation of widely known information.
> > >
> > > Regards,
> > > Jenn