Jesse Whyte wrote:
>
> I have had to do some performance and security testing on the
> Borderware firewall product over the last couple of weeks and I
> have some issues that I wanted to address here...
>
> 1) We caused a kernel panic by flooding the firewall system itself
> with ping ECHO_REQUESTS at less than T-1 bandwidth...
Thank you for your feedback. We have been unable to reproduce
this using various ping sizes at near ethernet speeds. Would
it be possible to get more information about the test setup
you are using?
> 2) The default configuration loads a web server on port 80 for the
> entire world to see...
This is, actually, incorrect.
The default configuration does include a secure embedded WWW server,
but all access to the server is disabled. Should you choose to use
the functionality of the WWW server, you must separately enable the
server for each network interface (internal network, Internet, etc.)
that you wish to grant access.
> 3) The firewall doesn't discriminate between internal and external hosts
> when it proxies, (i.e., with a poor setup (the default setup), I can set
> the proxy in my browser to the external interface of the proxy, then try
> to go to the internal interface and the firewall will proxy me
> there...another interesting side effect of this was that you can get
> packets to the web management port 442)
This is also incorrect.
The BorderWare Firewall Server has an exceptionally strong
differentiation
between the internal and external networks. The OS has been modified
to change the way TCP/IP thinks about network separation. The firewall
most definitely does discriminate between internal and external hosts.
The setup you describe is not functioning the way you think it is. The
external interface will not act as a WWW proxy. Certain browsers will
fail silently on this and then just connect you directly to the URL you
requested.
If you try this with Netscape 4.0 you will receive the error that the
firewall-ext.company.com proxy is not a valid proxy server and that
the browser will attempt to connect you to your destination directly.
If you enable full packet logging on the WWW service on the firewall
you will note that, during your tests, no packets reached the external
interface. You can also check the proxy logs to note that no packets
were proxied to the internal interface.
Please feel free to contact me directly with any additional issues or
concerns you might have. The BorderWare Firewall Server has been
designed from the OS foundation up to provide security.
Sincerely,
Andrew Flint
______________________________________________________________________________
Andrew Flint Secure Computing Corporation
BorderWare Product Manager Fax 416.813.2001
Andrew_Flint @
SecureComputing .
com Tel 416.813.2039
|
|
