Return-Path: <sentto-279987-5004-1026960559-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 17 Jul 2002 19:53:08 -0700 (PDT) Received: (qmail 17781 invoked by uid 510); 18 Jul 2002 02:49:25 -0000 Received: from n26.grp.scd.yahoo.com (66.218.66.82) by all.net with SMTP; 18 Jul 2002 02:49:25 -0000 X-eGroups-Return: sentto-279987-5004-1026960559-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.193] by n26.grp.scd.yahoo.com with NNFMP; 18 Jul 2002 02:49:19 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 18 Jul 2002 02:49:19 -0000 Received: (qmail 56163 invoked from network); 18 Jul 2002 02:49:18 -0000 Received: from unknown (66.218.66.217) by m11.grp.scd.yahoo.com with QMQP; 18 Jul 2002 02:49:18 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.scd.yahoo.com with SMTP; 18 Jul 2002 02:49:18 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g6I2ojM14941 for iwar@onelist.com; Wed, 17 Jul 2002 19:50:45 -0700 Message-Id: <200207180250.g6I2ojM14941@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 17 Jul 2002 19:50:45 -0700 (PDT) Subject: [iwar] [fc:Firewall.certification.'not.to.be.trusted'] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: Firewall certification 'not to be trusted' By Rene Millman, VNUnet, 7/17/02 <a href="http://www.vnunet.com/News/1133613">http://www.vnunet.com/News/1133613> Network managers warned of known flaws Network managers have been warned that certified firewalls cannot be completely trusted. Security consultant NTA Monitor has questioned the quality of testing carried out by the International Computer Security Association (ICSA) and Information Technology Security Evaluation Criteria (ITSEC) after the bodies missed two flaws which NTA believes should have been identified. Roy Hills, managing director at NTA, explained that more openness is needed in the testing procedures. "The first thing that would help is some sort of full disclosure," he said. "One of the ways to improve a process is to be able to learn from mistakes. If they don't do this, how many more missed flaws will it take before people ask what certification means?" NTA has found two significant flaws in ICSA-certified firewalls: the predictable TCP sequence numbers in Borderware Firewall in September 1998; and the FTP Bounce issue in Raptor Firewall in April 2002. It maintained that both flaws are very well known to the security community and proper testing should have detected them. Security organisation the Computer Emergency Response Team issued an advisory about predictable TCP sequence numbers in January 1995, three years before the Borderware flaw was discovered. It also warned of the FTP bounce attack back in December 1997, four years before the problem cropped up on the Raptor firewall. A vulnerability in Checkpoint's Firewall-1, an ITSEC-certified system, was also discovered recently. It allowed external internet users to make connections to an internal private network. Steve Barnett, UK managing director at Checkpoint, dismissed NTA's claims that certification processes are flawed and insisted that certification is still essential to the industry. "I have been personally involved in the ITSEC and it is extremely rigorous," he said. "It is unlikely that they would miss anything significant." Security experts pointed out that companies which value security usually use firewalls from different vendors, one in front of the other, for added protection. Using a pair is considered safer as they are unlikely to have the same vulnerability at the same time. "People who understand IT security really well will put in architectures that are appropriate to cover unknown risks," explained Richard Barber, security consultant at Integralis. "A certification company that has missed a particular flaw for whatever reason is in effect an unknown risk that ought to be taken into account." He added that certification still works, as it stopped disreputable companies from claiming that insecure products are safe. "As a filter for cowboys, it is extremely useful when you are talking about something as fundamental to network security as a firewall," said Barber. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Will You Find True Love? Will You Meet the One? Free Love Reading by phone! http://us.click.yahoo.com/ps3dMC/R_ZEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT