[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall Penetration

To: [email protected] (Vin McLellan)
Subject: Re: Firewall Penetration
From: Frank Willoughby <[email protected]>
Date: Mon, 22 Jul 96 08:07:46 -0400
Cc: [email protected]
Sender: [email protected]

At 10:09 PM 7/21/96 -0400, you wrote:

>Frank Willoughby <[email protected]> wrote:
>
>>FWIW, of @70 firwalls on the market, only @5 are adequate to protect
>>a company from the hazards of the Internet.
>
>        Ah, Frank,  are you talking here about session hijacking and is
>end-to-end crypto the defining factor of the robust five?

Of course (Vin already knew the answer).  8^)  

To answer the other questions posed on this list, the vendors who are
relatively immune to the above attacks AND are Application Gateway type
firewalls are: (in alphabetical order):

 Digital's Firewall for Unix - *IF* the IP Encryption Tunnel is also used
 Raptor's Eagle
 Technologics' firewall (This is a stretch.  They claim they have encryption,
        but I'm not wild about the implementation) 1/2 a point
 TIS Gauntlet
 V-One's SmartWall

Interestingly enough, the reason the 5 are so robust is that they employ 
user->firewall encryption to help prevent session hijacking attacks.
FWIW, session hijacking isn't a theoretical attack.  It is a serious 
threat and (sadly) it's as simple as "point & click".

Another plus for good crypto - it not only helps protect the privacy
of data, it also helps prevent some types of hacking attacks.

Anyone can do firewall->firewall encryption (and most serious vendors 
do).  The hard part is getting the user->firewall encryption part to 
work well.  Again, as stated in my previous mail, my company doesn't 
sell firewalls, so I can call things the way I see them.

As the above list will probably draw the flames of firewall vendors 
who feel insulted that they aren't part of the list, I think it would 
be best to move this topic over to the firewalls mailing list (where 
it really belongs).  See you there.

>        Suerte,
>                        _Vin
>
>         Vin McLellan +The Privacy Guild+ <[email protected]>
>      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
>                         <*><*><*><*><*><*><*><*><*>

Best Regards,

Frank
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist

Prev by Date: Re: the VTW---FBI Connection
Next by Date: Re: SHI_fty
Prev by thread: Re: Firewall Penetration
Next by thread: WORD Mail: A Part of Our Lives...
Index(es):
- Date
- Thread