OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Firewall comparison

Re: Firewall comparison

Steve George (stevegei-way.net.uk)
Tue, 02 Mar 1999 17:12:47 +0000

Hi John,

This sounds pretty interesting, haven't heard of this penetration
before.

If you could provide more information on how this is done and exactly
how it would effect a network that would be fantastic. There doesn't
seem to be anything on your web pages: if information about a specific
FW is commercially sensitive just some information on how to implement
the attack would be useful. Perhaps you could put out one report of
where you have penetrated a FW, redacting any company info of course, it
would be very useful for everyone to know how such an intusion is done -
and I'm sure would bring you clients from the lurkers on this list ;-)

Best wishes,

Steve

> John McDonald wrote:
>
> The only problem with the firewalls you've mentioned....They cannot detect fragmented packet UDP storms..which is the very first penetration test we attempt to penetrate the firewalls of very recognizable companies.
>
> These firewalls need to be configured from scratch and those who are very intent on keeping their secret information secret will rely on more robust firewalls that are incredibly more secure. We have run penetration test on every firewall imaginable over the course of the last five years. Our analysis has lead us to Firewall-1 being the most secure firewall, when properly configured, on a Unix platform. We have been able to easily penetrate almost every firewall in under 24 hours, most in under 20 minutes. Generally due to misconfiguration.
>
> Please don not rely on home grown firewalls in a commercial organization unless you posses *extensive* knowledge of security and routing. Otherwise, you may need to look for another job, because being hacked is NOT fun and is NOT and option for repeatable companies.
>
> John D. McDonald
>
> Phone: 510.713.8880 ext. 306
> Fax: 510.713.3456
> E-mail: JohnMNetworkGuys.com
> Web: www.NetworkGuys.com
>
> Secure Enterprise Connectivity
> Managed Security Managed Firewall
> Anti-Virus-Vandal Firewalls
> Security AuditsVPN
> Digital Certificates Security Systems
> 24x7 Network Monitoring/Hacker intrusion
>
> -----Original Message-----
> From: Bennett Todd [mailto:betnewritz.mordor.net]
> Sent: Friday, February 26, 1999 9:44 AM
> To: Radovan Semancik
> Cc: arkeltex.ru; firewall-wizardsnfr.net
> Subject: Re: Firewall comparison
>
> eSafe Protect Gateway (tm) has scanned this mail for viruses, vandals and
> suspicious attachments and has found it to be CLEAN.
> 1999-02-25-13:29:00 Radovan Semancik:
> > > What info exactly are you interested in? Security? Pereformance? Design and
> > > technology issues? Implementation features and bugs?
> >
> > Design and technology. That's the thing that changes very slowly and has
> > a major influence on overall security and performance.
>
> I've gotta agree on that.
>
> These days, the design and technology that seems to me to make the best
> firewalls for many, perhaps most settings, are a good well-supported Open
> Source Unix-like OS like Linux or one of the free BSDs, together with a
> suitable mix of proxies for your needs (e.g. TIS fwtk, smtpd, plugdaemon,
> rinetd, qmail, squid), all nicely reinforced with some nice packet filtering
> like ipfw or ipfilter. The technology here isn't a big step from the oldest
> firewalls, mostly just adding the packet filtering reinforcement, but it's
> still the best. Packet filtering firewalls like the FW1 and the Pix are nice
> as somewhat sturdier replacements for screening routers, but for serious
> protection I'd rather have data streams getting proxied at the top of a nice
> solid IP stack and regenerated as nice shiny new packets, rather than having
> dirty packets from the outside passed right through by a filter.
>
> -Bennett

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:15 CDT