Firewalls: RE: Info World Firewall Articles

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Info World Firewall Articles
From:	"Wojno, Jim" <jwojn @ telxon . com>
Date:	Fri, 2 Aug 1996 15:30:58 -0400
To:	"'firewalls @ greatcircle . com'" <firewalls @ greatcircle . com>

To All:

In regards to the article in Info World, it mentions that Firewall-1 has
what would seem to be a serious design flaw. At boot time, the in.routed
router daemon was started before the firewall software, creating a
window of opportunity (2 to 3 seconds ?) in which the internal network
is exposed. This was especially surprising to me, as it states in the
manual to not use extended IP access lists on the router to filter
traffic, but to rather route *all* incoming traffic to the firewall. I
quote: "Use routers to provide proper network connectivity. Use a
firewalled gateway behind the router to perform the filtering
functions."

We are currently considering Firewall-1, because of it's flexibility and
it's "Stateful Packet Inspection" of protocols such as UDP. I am very
curious to know how anyone on the list has resolved this issue. I would
think that one would only need to change the order in which these things
are started by editing the startup scripts. If not, what did others out
there do to address this?

If this is a topic that has already been discussed, please feel free to
contact me directly.

Thanks in advance for your help,

Jim Wojno
Systems Administrator
Telxon Corporation
jwojn @
 telxon .
 com

>----------
>From: 	Christopher Klaus[SMTP:cklaus @
 iss .
 net]
>Sent: 	Friday, August 02, 1996 2:13 PM
>To: 	firewalls @
 greatcircle .
 com
>Subject: 	Info World Firewall Articles
>
>
>In this weeks InfoWorld, they have done a comparision of many of the
>commercial
>firewalls.  Might be worthwhile to take a look at if you are going to
>buy a
>firewall.
>
>There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
>with Marcus Ranum & I discussing 'Does scanning for vulnerabilities
>mean your 
>firewall is safe?'  
>
>Thought it might be worth taking a look at if you missed it.
>
>-- 
>Christopher William Klaus	     Voice: (404)252-7270. Fax: (404)252-2427
>Internet Security Systems, Inc.                        "Internet
>Scanner finds
>Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network
>security holes
>Web: http://iss.net/  Email: cklaus @
 iss .
 net            before the
>hackers do."
>

Follow-Ups:

RE: Info World Firewall Articles
From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>

Indexed By Date	Previous:	Re: FW: Java security - long, but relevant From: peter @ baileynm . com (Peter da Silva)
Indexed By Date	Next:	Re: Info World Firewall Articles From: long-morrow @ CS . YALE . EDU
Indexed By Thread	Previous:	Re: Info World Firewall Articles From: "W.C. Epperson" <epperson @ vak12ed . edu>
Indexed By Thread	Next:	RE: Info World Firewall Articles From: "Roderick Murchison, Jr." <murchiso @ vivid . newbridge . com>