ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1

Christopher L. Morrow chris at UU.NET
Thu Feb 5 17:15:26 UTC 2004


not that I'm a fan of any firewall product in particular, but...

On Thu, 5 Feb 2004, Suresh Ramasubramanian wrote:

>
> >>>>> "Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi at iss.net> writes:
>
>     Dan> http://xforce.iss.net/xforce/alerts/id/162
>     Dan> http://xforce.iss.net/xforce/alerts/id/163
>
> You know, I'm quite allergic to that word "checkpoint".  Perhaps I'm
> completely wrong here, but ..
>
> Might be a good idea to deploy openbsd firewalls instead of expensive
> and buggy stuff like Checkpoint :)
>
> Anything which reduces "security" to point and click on a cute web or
> other GUI interface is dangerous... allows untrained and completely

Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault
with the vendor or the person(s) implementing or the 'management' of said
person(s)? Even an openbsd firewall is a problem if not properly admin'd.

>
> That idiot basically saw lots of inbound traffic to port 22 on our
> machines, didn't know what the hell that was, and firewalled port 22
> across the ISP's network.

port 22 is bad though, right? Clearly this was the wrong person to be
doing this job, he could have just as easily been looking at netflow
output and dumped this traffic with an acl on his fancy router... The tool
used is immaterial, his level of clue is what is at issue.

> while the guy stood up to call his supervisor in to try convince us (me
> and my boss) that yes, he knew what he was doing, he had an MCSE and a
> CCNA after all, etc.

there is a dilbert about this very thing ;) "Harness the power of
CERTIFICATION!!!"

>
> Is there some really good "network security for dummies" book that I
> can point such people at?  Telling them to google doesn't do much
> good, I fear :(
>

Nope, but pointing out their failures in a sensible manner to their
management is helpful... sometimes atleast :( Failing any action there the
whole group is just shooting themselves in the foot and there isn't much
you can do about that, is there? (except to get out of the blast radius)



More information about the NANOG mailing list