frankw @
in .
net (Frank Willoughby) writes about some firewall vendors
(including us):
> Sadly, neither company (last time I checked)
> hasn't gone far enough to secure the firewalling capabilities, IMHO.
As far as "securing the firewalling capabilities" go, we believe
Sidewinder is already the best on the market. We look forward to any
suggestions of how it can be made better.
The only "shortcut" I know of in Sidewinder's security posture is that
we haven't done the depth of formal modeling and analysis that we did
on the SNS Mail Guard. That's why Sidewinder is out there today
running today's protocols on state of the art hardware. Government and
military sites with really high security requirements are willing to
limit themselves to e-mail and pay for the additional security
analysis performed on the Mail Guard. I wish commercial clients were
willing to sacrifice performance or features for better security
assurance. It makes things more certain. But that's not how it is.
>Two big threats that almost all firewall vendors haven't counteracted
>yet are: "Node Spoofing" & TCP Sequence Number Prediction Attacks".
>Many claim to be immune to node spoofing, but when you dig a little
>deeper, you find that they are immune only if the person on the outside
>is trying to spoof an inside address. If the hacker has any sense at
>all, he will spoof the IP address of the system on the outside who is
>trying to get in.
This is not an issue of "securing the firewall," or even of firewall
security services. This is a limitation in Internet protocols. Its
handling revolves on a technical issue and on a policy issue.
The technical issue is a fundamental one of Internet protocols. The
only information a receiving site has is the information in a packet,
and the classic Internet protocols don't give us a reliable way of
validating its contents in the face of interception threats. If a
packet contains the source address of an arbitrary Internet host from
outside your site, there's no way to tell if the address has been
forged or if the contents were modified in transit. This is a property
of the Internet protocols that has become a flaw in today's world of
escalating threats. I'm sorry but firewalls can't fix that.
The policy issue is that a site must recognize this limitation and not
risk important assets on unreliable protection mechanisms. Many sites
establish some access control based on external IP addresses, but the
sites we work with don't use it to block major threats.
The only promising countermeasures involve cryptographic services,
which are available in several levels of effectiveness and
convenience. It's not a "solution" for everything but it deals
effectively with threats in certain circumstances.
Rick.
smith @
sctc .
com secure computing corporation
|
|
