Firewall Wizards mailing list archives
Re: Re: Firewalls breaking stuff: [Was re: fwtk]
From: Paul Robertson <proberts () patriot net>
Date: Mon, 22 Jul 2002 17:50:59 -0400 (EDT)
On Mon, 22 Jul 2002, Charles W. Swiger wrote:
That's not correct.
Sorry, I was thinking of the accelerator/decryptors which started the thread- you're right- some products don't handle the SSL stream, but that doesn't make them bug-free, and certainly doesn't mean that tainted data won't be passed through the server to them.
[ Short of compromising and going through the HTTPS server machine, that is. ]It *is* the HTTPS server, that's the idea{NPI].The machine the SSL accelerator is connected to would be running HTTPS, but an SSL accelerator isn't an HTTPS server. A PCI card or a dongle on the SCSI chain doesn't have a network interface, and would not be listening on port 443/tcp even if it could speak HTTPS.
That doesn't mean that it doesn't have say the ANS.1 bugs that we've seen in LDAP and SNMP. That doesn't mean they're not exploitable via that vector either.
Only those who turn that feature on and rely on it for operations.And those who turn the feature on but don't rely on it. And those using switches shipped with SNMP enabled by the vendor's default who haven't turned it off. And those not using SNMP now but want to close a potential hole if they (or someone else) enables the feature later.
The point would be what? That people using featurful products need to keep up to date? No arguments here.
Marcus claimed the SSL crypto-accelerator box was "mystical" and "unauditable" in the part quoted above, but you've claimed that "nothing is unauditable". Regardless of which one of you is correct, my point remains that a box labelled "Cryptoswift" is not inherently more or less secure than a box labelled "Cisco" (or Nokia, or Lucent, etc).
That's not the argument though- the argument is that adding a complex protocol (or complex bunch of calls) adds a potential for more attacks against the device. It may be more or less secure- part of the reason that I'm skeptical about it is that I've read all the Lab reports on our site for VPN devices, talked to a lot of vendors in a former life (including vendors with products on the EPL) and frankly I'm not all that impressed with the level of security put in most encryption products. I'd rather go with something where I know things like IVs have been tested than something where I don't know that at all- either I have to test it, or I have to trust someone else to test it. In either case it gives me an advantage over something that I have no testing information on. What if your card starts with the same IV every time?
If you can audit a Cisco VPN router, you can audit a Cryptoswift SSL box.
Maybe, maybe not- it depends on the tools and functions- which is why what's evaluated and how is important when depending on evaluations[1]. Paul [1] Yes, the royal we certainly can, but that market seems to not be all that interested. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls breaking stuff: [Was re: fwtk], (continued)
- Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Dominik Miklaszewski (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles Swiger (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 20)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 22)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 22)
- Re: FWTK and smap/smapd David Lang (Jul 16)
- Re: FWTK and smap/smapd Dominik Miklaszewski (Jul 16)
- Re: FWTK and smap/smapd Paul Robertson (Jul 16)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 16)
- Re: FWTK and smap/smapd Frederick M Avolio (Jul 17)
- Re: FWTK and smap/smapd Paul Robertson (Jul 17)