> On Friday, October 18, 1996 4:27 AM, Adam Shostack[SMTP:adam @
> >Jonathan Low wrote:
> >| Did anyone ever break into those firewalls?
> >| If so, how did they do it?
> > Physical access will get you into most firewalls. Also, the
> >question you should be asking is 'Did anyone even get trhough one of
> >those firewalls to attack the network it was defending?'
> > Unfortunately, its very embarrassing when your firewall is
> >breached, and no one likes to talk about it.
> Who would be able to respond to such questions? What firewalls have NOT been breached? I have Milkyway claiming that no-one has breached their firewalls. Would one be able to ask the company itself?
> Which firewalls are *more succeptable* to break-ins?
> I have a feeling that I won't get too far asking these questions...
These are hard questions to answer for a variety of reasons:
1) They are loaded questions. You'll never find a vendor to admit that
they have a security problem. Additionally, you'll never find an
intruder that will admit to discovering a hole in a firewall product
because they will not want it fixed. The only possible answer a vendor
will give falls along the line of "Not to our knowledge" or "Our
firewall is impenetrable...". The first answer I can accept, the second
one may be true, but generally does not reflect the reality of
computer security where anything can happen.
2) Quantifying the security of a firewall takes on many facets. How do
you rate the security of a firewall if you don't know how it will be
deployed? Some customers require/demand configurations that are
security ignorant and detrimental to the firewall implementation. If
an intrusion occurs in such a case do you blame the firewall or the
3) The only way to ensure the security of a firewall is to perform an
independent review of the entire system. This includes the security
architecture model the system follows, operation and administration
procedures, proxy/filter operation, etc. This is a procedure that many
large companies and banks outsource to an independent third party to
perform against a variety of vendors. Of course it doesn't matter how
great the firewall is if the rest of your network has serious
vulnerabilities such as un-protected dial-in MODEMS etc. Simply put, the
implementation of a firewall needs to be combined with an entire
network security architecture review.
4) You could realistically say that most of the major firewall
vendors offer a comparable firewall system in regards to difficulty of
circumventing. What makes firewalls really different from each other
are the ancillary options and features they have integrated with them.
Such things as strong authentication, encryption, access control,
data integrity, scalability and support differentiate firewalls that are great
from firewalls that are just OK.
> Dan Tshin The Bulldog Group Inc.
> Research and Development 416.594.9207:252
> http://www.bulldog.ca 416.594.1473 Fax
> A head is not merely a hat hangar. Just Use It.
*** All opinions are my own ***
Craig H. Rowland
Virtual Open Networking Environments (V-ONE)
Security Consulting Group
(301) 838-8900 x208