> Craig Anderson <craiga @
> >So how about doing the Firewall industry equivalent of the NFS industries
> >week-long Inter-Op conference. No marketing weenies allowed, just technical
> >people from each participating vendor attacking each others machines to
> >help improve the industry. No technical results will be published.
> >If some vendor just wants free development help, don't help. Just
> >point out to each other the weaknesses found.
> Great idea - how do we do it. Great possibilities here, too. Consider
> RayK 8) - Better Living Through Authentication - I usually only speak for myself
Start by piggy-backing on the NFS Connectathon (if Sun is interested;
I can ask the right people if need be, unless they're listening already).
The Rules of Engagement (proposed)
Have each vendor distribute their configuration to all registered participants
at least 2 weeks beforehand. The published configuration should be the
configuration the vendor intends to field, to speed up the hack-cycle (we only
have a week). The configuration should not change but it does not have
to be all that detailed. A block diagram of what networks are connected to
which firewall, the exact version and product name being fielded, etc.
The Published configuration must include the location of a file that must be
retrieved from the firewall and another file that must be retrieved from a
host behind the firewall. The files should be plain-text. Getting either
file constitues a win. Wins should not be published! Period. Not even a
count of wins.
Security Contractors can participate by registering as combatants and
try to break into vendor machines. If someone gets a win they MUST
describe (in detail!) how they did it to the losing vendor. All
participants must register with their REAL NAME and show ID to prove it.
And somebody please invite the military/NSA/defense-contractors/etc.
Marketing weenies will be stopped at the door; this is for techies only.
Denial of Service attacks are confined to one specific day of the
Firewall Connectathon and do not constitue a win. They are only
embarasing to the vendor, if say, the firewall crashes because of
the attack. Maybe we can all learn how to diagnose and treat
Denail of Service attacks better.
Given that this is just about firewalls and not the entire spectrum of
security policy, physical security of the firewall is not at issue
and should not be attempted. Though it can definitly be discussed
The point of this is to grow and mature the industry, not to gain
adversarial advantage over your competitors. Professionalism is
important. Violators will not be invited back next year.
If it gets big and successful, maybe we should change the
name to "the Hack-Fest" or something.