Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: FW appliance comparison - Seeking input for the forum
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 2 Feb 2006 17:34:50 -0500 (EST)

Hash: SHA1

On Wed, 1 Feb 2006, Dave Piscitello wrote:

Paul Melson wrote:
-----Original Message-----
Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum

Though i think people who buy Checkpoint stuff are somehow
non-representative (i think if one tried that with, say, Cyberguard,
we'd see completely different picture) the results are still scary. Damn
scary. That means 80% firewalls could be thrown off with
no further harm to security.
I'd agree that choosing a different product customer set would probably
yield different results, but I'm not sure that Check Point is going to be
worse than others.  In fact, experience tells me that the small/medium IT
shops out there that still have their NetScreen-10 or their PIX 510 with the
same rule set and software on it for 3+ years are even more likely to have
flawed configs.

Many SMBs have barebones policies. What I commonly see:

- default ANY outbound
- inbound http to a Port address translated web server
- inbound telnet/ssh to some 3rd party application server
 (e.g., vacation rental software on SCO boxes with credit card DBs ;-(
- logging to the localhost (appliance) which rolls the logs
 (no long term store)
- default admin account, same password today as configured day 1
- IPsec using IKE AG mode with PSK

All those nasty windows ports and protocols 138-139, 445, 5000, etc passing in both directions, etc...


Ron DuFresne
- --
        admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.2.4 (GNU/Linux)

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]