Re: [PEN-TEST] Nortel Contivity Extranet Switches

[Chris Calabrese <christopher_calabrese () MERCK COM>]

I looked into this product myself recently.

As for weaknesses...I don't know much about the VPN side, but, according to
folks at Nortel, the CP Firewall-1 implementation is based version 3.x, which
does have several known weaknesses (I'm assuming Nortel hasn't developed patches

for the things CP has said 'upgrade to 4.x to fix').  Furthermore, the VPN stuff

is not integrated with the firewall stuff (i.e., you can't have firewall rules
that say things like 'this user can get to this service over a crypto tunnel').

On the other hand, the FW-1 module is also being discontinued at the end of
September, so there's not much point in worrying about it too much :-)

Instead, Nortel will be hawking a new firewall module based on technology from
Shasta Networks (which they've recently acquired).  The current Shasta lineup is

aimed at firewalls for ISP's and ASP's, and does indeed feature the VPN/Firewall

integration missing in the current Contivity lineup.  On the other hand, it's
also not nearly as widely used/abused as FW-1, so there may be undiscovered
daemons under the hood.  And, being aimed at *SP's, it's missing many of the
sorts of Enterprise Firewall features that CP's recently added to FW-1, like the

HTTP security server.

On the other other hand, the above information is based on information on the
Nortel web site and my phone conversations with Nortel and Shasta sales folks.
Since I wasn't non-disclosed and they don't have much information on the
Shasta-ized version of the Contivity yet, my statements about the current Shasta

offerings may not apply to that product.

"Ogle Ron (Rennes)" wrote:

> We are testing the Nortel Contivity switch.  Nortel advertises that this
> switch is a firewall and should be placed in parallel with your other
> firewalls.  I know that you can install CheckPoint Firewall-1 on the switch,
> but the Nortel representative says that there are problems with this type of
> install.  I haven't been able to find any evidence that this product has
> been independently tested for security weaknesses.
>
> Does any one know of a site where I can get independent information on this
> product or know of weaknesses?  We ran ISS 6.01 against it, and it didn't
> find any problems.  Are there any IPsec gotchas that might be exploitable
> from this implementation.  Any information would be greatly appreciated
> before we install this in parallel.
>
> Thanks in advance.
>
> Ron Ogle

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese