Penetration Testing mailing list archives
Re: [PEN-TEST] Nortel Contivity Extranet Switches
From: Chris Calabrese <christopher_calabrese () MERCK COM>
Date: Mon, 28 Aug 2000 15:19:54 -0400
I looked into this product myself recently. As for weaknesses...I don't know much about the VPN side, but, according to folks at Nortel, the CP Firewall-1 implementation is based version 3.x, which does have several known weaknesses (I'm assuming Nortel hasn't developed patches for the things CP has said 'upgrade to 4.x to fix'). Furthermore, the VPN stuff is not integrated with the firewall stuff (i.e., you can't have firewall rules that say things like 'this user can get to this service over a crypto tunnel'). On the other hand, the FW-1 module is also being discontinued at the end of September, so there's not much point in worrying about it too much :-) Instead, Nortel will be hawking a new firewall module based on technology from Shasta Networks (which they've recently acquired). The current Shasta lineup is aimed at firewalls for ISP's and ASP's, and does indeed feature the VPN/Firewall integration missing in the current Contivity lineup. On the other hand, it's also not nearly as widely used/abused as FW-1, so there may be undiscovered daemons under the hood. And, being aimed at *SP's, it's missing many of the sorts of Enterprise Firewall features that CP's recently added to FW-1, like the HTTP security server. On the other other hand, the above information is based on information on the Nortel web site and my phone conversations with Nortel and Shasta sales folks. Since I wasn't non-disclosed and they don't have much information on the Shasta-ized version of the Contivity yet, my statements about the current Shasta offerings may not apply to that product. "Ogle Ron (Rennes)" wrote:
We are testing the Nortel Contivity switch. Nortel advertises that this switch is a firewall and should be placed in parallel with your other firewalls. I know that you can install CheckPoint Firewall-1 on the switch, but the Nortel representative says that there are problems with this type of install. I haven't been able to find any evidence that this product has been independently tested for security weaknesses. Does any one know of a site where I can get independent information on this product or know of weaknesses? We ran ISS 6.01 against it, and it didn't find any problems. Are there any IPsec gotchas that might be exploitable from this implementation. Any information would be greatly appreciated before we install this in parallel. Thanks in advance. Ron Ogle
Attachment:
christopher_calabrese.vcf
Description: Card for Chris Calabrese
Current thread:
- [PEN-TEST] Nortel Contivity Extranet Switches Ogle Ron (Rennes) (Aug 28)
- Re: [PEN-TEST] Nortel Contivity Extranet Switches van der Kooij, Hugo (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Nortel Contivity Extranet Switches Chris Calabrese (Aug 28)
- Re: [PEN-TEST] Nortel Contivity Extranet Switches Derrick (Aug 29)