[ale] OT: Firewall purchase

James P. Kinney III jkinney at localnetsolutions.com
Mon Jul 5 11:15:52 EDT 2004 

On Sun, 2004-07-04 at 23:37, David Hamm wrote:
> Are you suggesting that a power blink will cause the firewall to replace it's 
> remote access password with a default/HARDCODED password?  

There is a series of firewall products whose name brand escapes me
(search on slashdot) that has a backdoor password that was embedded. The
patch was a flash upgrade that turned off the password use from the
outside connection. Further study showed the power reset would revert
back to the default allow remote login with backdoor password.


> 
> > Both of those have known security issues. 
> Last time I looked the only security issue with NetGear's FVS318 had to do 
> with a buffer overflow on the remote access login.  The overflow would cause 
> a reboot of the unit and no other side effects.  A rule that only permits 
> access from a couple of specific known hosts reduces exposure to this.  If 
> you have a link with more info please pass it along.

see above. If I get the time today, I'll dig up the references I was
reading on this. It's about 2 months old (or so)
> 
> > Neither support VPN connections directly.
> Huh?  I just put a VPN together a couple months ago with a pair of FVS318s.  
> It also worked two years ago when I tested the ability of the FVS318 to 
> connect to a Nortel 1510.  We could make the connection but the two units 
> couldn't negotiate a routing protocal.

The VPN in many off the shelf devices is PPtP which has numerous, well
known vulnerabilities. PPtP is used often as it is easy to do and older
M$ machines support it easily with little support needed to set it up.

When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
are many firewall boxes that support IPSec with pre-shared keys. None
are in the $100 range. All require additional license purchase for
multiple VPN client access. 

A _real_ VPN server can act as the end point for the VPN tunnel. Most of
the firewall devices out there _support_ VPN by merely passing IPSec
datagrams freely. They do not act as a VPN server or client.

**NOTE** I don't regularly check all the stats on new network hardware
that does in silicon what I prefer to do in RAM. The last sweep of
firewall technology I did was Feb. 2004 and that was of corporate
firewall products that support IPSec. None of those was less than $1500.
> 
> > All of the off-the-shelf firewall devices are generic boxes that are
> > cookie cutter rule sets for a limited set of protection scenarios. The
> > ability to ssh into the firewall and adjust as needed is absolutely
> > priceless.
> Yes, I like ssh and IPtables too but this isn't a problem for that solution. 

Then have the client spend the $100 for "The Emperors New Clothes"
firewall product. Make sure you get a release of liability document
signed before you put it in. If it is a product that _you_ recommend,
you WILL be the first person called on a problem. I have found
supporting products that I don't have complete and full access to
difficult at best and impossible at worst. I don't like being in the
position of having the responsibility for a situation but not the
authority to do what I see is best to make the solution happen.
>  
> 
> 
> On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > Thanks for the links and suggestions but this firewall is for a client
> > > and building a custom firewall will not be price competitive;  Especially
> > > if you consider the ease of use available for $100 from Netgear and
> > > D-Link.
> >
> > Both of those have known security issues. Neither support VPN
> > connections directly. Having a hardware device that has had a backdoor
> > password that is HARDCODED into the silicon and well published is a
> > waste of cash. One the power blinks, they go back to the default
> > backdoor settings.
> >
> > The upfront cost of buying a supportable setup is negligible compared to
> > the replacement cost over time of upgrading the firewall hardware system
> > everytime a new feature to stop a new style of attack is not upgradeable
> > by a flash of the bios.
> >
> > All of the off-the-shelf firewall devices are generic boxes that are
> > cookie cutter rule sets for a limited set of protection scenarios. The
> > ability to ssh into the firewall and adjust as needed is absolutely
> > priceless.
> >
> > Besides, how else are you going to run Bob's ruleset?!
> >
> > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > David Hamm wrote:
> > > > > Hi,
> > > > >
> > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > Netgear has
> > > > > stuff I found attractive but with no OSPF support. Moving parts (ie
> > > > > fans and
> > > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > > >
> > > > > Thanks.
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > edition of his book, and a Epia based fanless supersmall machine with
> > > > dual builtin NICs.  His book has drop in iptables rules that are
> > > > excellent. Once you get that far then going thru the IPSEC Howto is not
> > > > too difficult.  Just involves a kernel module compile and insertion.
> > > >
> > > >
> > > >
> > > > Links:
> > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html (this
> > > > is one idea)
> > > >
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> !DSPAM:40e8cd85313746117867552!
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list