Firewalls: RE: Info World Firewall Articles

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Info World Firewall Articles
From:	"Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>
Date:	Sun, 4 Aug 1996 20:06:17 -0400 (EDT)
To:	"Wojno, Jim" <jwojn @ telxon . com>
Cc:	"'firewalls @ greatcircle . com'" <firewalls @ GreatCircle . COM>
In-reply-to:	<c=US%a=_%p=TELXON%l=EXCHANGE-960802193058Z-18 @ exchange . mis . telxon . com>

We picked this up and did some tweaking to secure us from the "window of
opportunity".  The product has worked great for us over the past cople
years, but you should definately investigate what is happening during boot
time to nail down any openings.

-r

On Fri, 2 Aug 1996, Wojno, Jim wrote:

> To All:
> 
> In regards to the article in Info World, it mentions that Firewall-1 has
> what would seem to be a serious design flaw. At boot time, the in.routed
> router daemon was started before the firewall software, creating a
> window of opportunity (2 to 3 seconds ?) in which the internal network
> is exposed. This was especially surprising to me, as it states in the
> manual to not use extended IP access lists on the router to filter
> traffic, but to rather route *all* incoming traffic to the firewall. I
> quote: "Use routers to provide proper network connectivity. Use a
> firewalled gateway behind the router to perform the filtering
> functions."
> 
> We are currently considering Firewall-1, because of it's flexibility and
> it's "Stateful Packet Inspection" of protocols such as UDP. I am very
> curious to know how anyone on the list has resolved this issue. I would
> think that one would only need to change the order in which these things
> are started by editing the startup scripts. If not, what did others out
> there do to address this?
> 
> If this is a topic that has already been discussed, please feel free to
> contact me directly.
> 
> Thanks in advance for your help,
> 
> Jim Wojno
> Systems Administrator
> Telxon Corporation
> jwojn @
 telxon .
 com
> 
> >----------
> >From: 	Christopher Klaus[SMTP:cklaus @
 iss .
 net]
> >Sent: 	Friday, August 02, 1996 2:13 PM
> >To: 	firewalls @
 greatcircle .
 com
> >Subject: 	Info World Firewall Articles
> >
> >
> >In this weeks InfoWorld, they have done a comparision of many of the
> >commercial
> >firewalls.  Might be worthwhile to take a look at if you are going to
> >buy a
> >firewall.
> >
> >There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
> >with Marcus Ranum & I discussing 'Does scanning for vulnerabilities
> >mean your 
> >firewall is safe?'  
> >
> >Thought it might be worth taking a look at if you missed it.
> >
> >-- 
> >Christopher William Klaus	     Voice: (404)252-7270. Fax: (404)252-2427
> >Internet Security Systems, Inc.                        "Internet
> >Scanner finds
> >Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network
> >security holes
> >Web: http://iss.net/  Email: cklaus @
 iss .
 net            before the
> >hackers do."
> >
>

References:

RE: Info World Firewall Articles
From: "Wojno, Jim" <jwojn @ telxon . com>

Indexed By Date	Previous:	Performance From: potlicker @ morebbs . com
Indexed By Date	Next:	Re: Is any O.S. w/IP enabled C2 certified? From: "Mattias Lindstr\vm" <mattias . lindstrom @ ihc . se>
Indexed By Thread	Previous:	RE: Info World Firewall Articles From: "Wojno, Jim" <jwojn @ telxon . com>
Indexed By Thread	Next:	Re: Info World Firewall Articles From: long-morrow @ CS . YALE . EDU