ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

Suresh Ramasubramanian suresh at outblaze.com
Thu Feb 5 16:56:22 UTC 2004


>>>>> "Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi at iss.net> writes:

    Dan> http://xforce.iss.net/xforce/alerts/id/162
    Dan> http://xforce.iss.net/xforce/alerts/id/163

You know, I'm quite allergic to that word "checkpoint".  Perhaps I'm
completely wrong here, but ..

Might be a good idea to deploy openbsd firewalls instead of expensive 
and buggy stuff like Checkpoint :)

Anything which reduces "security" to point and click on a cute web or
other GUI interface is dangerous... allows untrained and completely
dumb people to brand themselves "firewall admins".  Like the "admin"
at a now defunct Indian ISP where my former employer had several
machines colocated.

That idiot basically saw lots of inbound traffic to port 22 on our
machines, didn't know what the hell that was, and firewalled port 22
across the ISP's network.

Getting locked out of all my ssh sessions, having to drive 20 km to
the datacenter, and then having to reset the block myself while my
boss was still arguing with the "admin" was kind of an interesting
experience, I must say.

Yes, his checkpoint management console, running on an unpatched hp/ux 
10.2 machine, was up and running, and we just walked right into the NOC 
to argue with him.  That made it quite easy to click the right buttons 
while the guy stood up to call his supervisor in to try convince us (me 
and my boss) that yes, he knew what he was doing, he had an MCSE and a 
CCNA after all, etc.

Is there some really good "network security for dummies" book that I
can point such people at?  Telling them to google doesn't do much
good, I fear :(

        srs

-- 
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations




More information about the NANOG mailing list