[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Information, We want information

> From: [email protected] (Todd Glassey)

> I an immediate need of info on the liabilities of BSD type systems, and in
> particular the BorderWare products.
> I heard that in the BorderWare product itself, there are several recently
> discovered potential "holes"...
> I have a particular interest in both the Attack MO against the BSD
> platforms in general and the Border products in particular...
> Please do not send the reply to the lists but to me personally
> ([email protected]). I will summarize if I get enough info to be worth the
> effort.
> Any comments?

Let me make a very clear statement. No site protected by BorderWare has
ever had its Firewall penetrated. Never. 

This is the second time I've heard rumors about insecurities in the
BorderWare software with nothing being brought out to substantiate them.  I
guess this is just an unfortunate part of doing business - especially in the
security domain.  I get a bit annoyed by this kind of thing since,
regardless of whether we refute such comments, after the discussion itself
is forgotten people will often remember that they heard something about a
problem with product X. This isn't a criticism of you Todd - you are just
reporting that you've heard rumors and asking about them, which is a
perfectly reasonable thing to do. 

Obviously the rumors you heard haven't come along with any facts since
you're asking here for the "Attack MO".  I would very much like to here about
any problem that is real, since if there were any weaknesses we would want
to fix them and disseminate the fix as fast as possible. 

Border takes any potential problem very seriously.  A couple of months ago
there was a potential weakness that was discovered in the process of
Border's ongoing efforts to ensure the security of the product.  It was only
a security risk with a very specific configuration.  No customer has ever
reported seeing this. Within two days of this discovery we had a fix and
the fix was being actively pushed through the distribution channels to the
customer base. It was given high priority and we had our support people
calling down to the reseller channels to ensure that they were aware and
that they got it out to their clients.  We intended to make sure that this
potential problem was immediately removed from the firewall even though no
one had actually reported a problem.

The fix was given free of charge to anyone whether they had a support
contract or not.  Some customers were even upgraded to a newer version of
BorderWare so they could receive the fix.  We strongly believe that our
customers are entitled to the best available protection.  They bought a
Firewall for security and they should expect it to be secure.  Border will
do everything that we can to ensure this is always the case.  So, anyone out
there if you believe you have some real attack mechanism we want to know.

Now that you've sat through the general ranting part of my comments, let me
try to answer the BSD specific part.  As far as BSD based OS's in general I
don't think there is reason to believe that they are any more or less secure
than System V based Unix's (or other non-Unix based operating systems for
that matter).  They all have pro's and con's and they have all had problems
and I don't think that one variant has had more problems historically than
the other. That said, Border doesn't use a stock BSD based OS anyway.  We
have put a large amount of effort into "hardening" the kernel so that it is
a solid base upon which to build a secure firewall.

We don't believe that any stock OS which was designed for a dynamic
environment with users on it will really be secure.  There are far too many
instances (with just about any OS, Unix or otherwise) where someone has
gained privilege or increased access to a system by taking advantage of some
feature once they managed to get on the box.  A firewall should be a static,
non-user environment which means that many features are just not required
and can be removed or their behavior significantly changed and limited. We
spent a considerable amount of manpower stripping down the kernel and
leaving only what was really needed.  We removed the mechanisms which can be
used to gain privilege or increase the levels of access to the system. The
BorderWare kernel is in fact one of its strongest assets, and not a
potential weakness.

Glenn Mackintosh
V.P. Technology
Border Network Technologies Inc.                 Email: [email protected]
20 Toronto Street, Suite 400,                    Tel: +1 416 368 7157
Toronto, Ontario, Canada, M5C 2B8                Fax: +1 416 368 7789