Firewall Wizards mailing list archives
RE: Gauntlet: source code anyone ?
From: "McMahan, Peg" <PMcMahan () v-one com>
Date: Thu, 18 Mar 1999 17:45:05 -0500
My guess would be that very very few people report these types of bugs. Working at a gauntlet reseller and having worked in the training department here (thank gods I don't do *THAT* anymore) I got a good chance to see what John.Q.FirewallAdmin is like... I shouldn't generalise, but the majority of people who came for training on the unix products we sold (including gauntlet) had never sat in front of a unix box before. Had to talk them through commands letter by letter... Many wouldn't have any concept of what source code was, much less understand or recognise a 'buffer overflow'. Good firewall admins are (quite unfortunately) the exception. Also, having been part of a support organisation, we have no records of anyone ever asking us for product source code. In as much as I've dealt with end-users, I've never even been asked about the 'security' of the firewall. People assume that since it's a firewall, it's immune to attack entirely. :-----Original Message----- :From: Darren Reed [mailto:darrenr () reed wattle id au] :Sent: Wednesday, March 17, 1999 4:50 PM :To: firewall-wizards () nfr net :Subject: Gauntlet: source code anyone ? : : : :There has been much discussion about "must have source code" by people :who populate these lists for security products, however, in line with :comments brought up before, there is apparently little benefit for the :vendor or customer (except that the customer has the ability :to introduce :their own bugs ;). : :Why do I say that ? Well, recently I was in a position to :have the time :to do a quick review of Gauntlet source code. Just for laughs, I tried :something stupid like "grep sprintf */*.c". The scary part is that the :output was rather lengthy. Upon having a closer look at one :file (x-gw.c), :it became quickly apparent that fixed buffer sizes (some of which were :too small) were littered through the code and whilst single buffers :could be overflowed, by some stroke of luck it doesn't appear easy to :exploit. To make it even worse, this was 4.1, not some early rev. :If you use Gauntlet and have the time, setup a host with a full length :domain name (256 characters) and try accessing each of the Gauntlet :services using it... : :Getting back to the larger issue, this indicates a few of things to me: : :1. you can't trust firewall vendors to write good, secure, code; : :2. vendors don't appear to do a lot of testing, particularly :of boundary : cases (just like all good s/w engineers should); : :3. vendors don't appear to have a very good quality control; : :4. those who buy commercial firewall products aren't interested in : doing a code review of their vendor. : :Of course these are generalised points given one experience, but one :would have though that of any firewall, Gauntlet would have been the :most correct... : :Just before I finish, has anyone ever submitted a patch to TIS/NAI for :Gauntlet to fix security holes ? Do they reject them or simply sit :on them ? : :Darren :
Current thread:
- Re: Gauntlet: source code anyone ?, (continued)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 21)
- Re: Gauntlet: source code anyone ? Craig H. Rowland (Mar 22)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Mark E. Smith (Mar 23)
- Re: Gauntlet: source code anyone ? Joseph S D Yao (Mar 23)
- Re: Gauntlet: source code anyone ? David Lang (Mar 23)
- Re: Gauntlet: source code anyone ? Steve George (Mar 21)
- Re: Gauntlet: source code anyone ? dreamwvr (Mar 22)
- Re: Gauntlet: source code anyone ? ark (Mar 19)
- Re: Gauntlet: source code anyone ? David Lang (Mar 21)
- RE: Gauntlet: source code anyone ? McMahan, Peg (Mar 19)
- Re: Gauntlet: source code anyone ? Kees Hendrikse (Mar 21)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Kees Hendrikse (Mar 21)
- RE: Gauntlet: source code anyone ? chris michael (Mar 22)
- RE: Gauntlet: source code anyone ? ark (Mar 22)
- Re: Gauntlet: source code anyone ? Steve George (Mar 22)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 22)
- Re: Gauntlet: source code anyone ? David C Niemi (Mar 23)
- Re: Gauntlet: source code anyone ? Frederick M Avolio (Mar 23)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 23)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 22)