Nanog-
ISS X-Force release two X-Force Security Advisories this evening
detailing high-risk issues in Checkpoint Firewall-1 and VPN-1. Please
refer to the following URLs for more information:
http://xforce.iss.net/xforce/alerts/id/162
http://xforce.iss.net/xforce/alerts/id/163
> http://xforce.iss.net/xforce/alerts/id/163
You know, I'm quite allergic to that word "checkpoint". Perhaps I'm
completely wrong here, but ..
Might be a good idea to deploy openbsd firewalls instead of expensive
and buggy stuff like Checkpoint 
Anything which reduces "security" to point and click on a cute web or
other GUI interface is dangerous... allows untrained and completely
dumb people to brand themselves "firewall admins". Like the "admin"
at a now defunct Indian ISP where my former employer had several
machines colocated.
That idiot basically saw lots of inbound traffic to port 22 on our
machines, didn't know what the hell that was, and firewalled port 22
across the ISP's network.
Getting locked out of all my ssh sessions, having to drive 20 km to
the datacenter, and then having to reset the block myself while my
boss was still arguing with the "admin" was kind of an interesting
experience, I must say.
Yes, his checkpoint management console, running on an unpatched hp/ux
10.2 machine, was up and running, and we just walked right into the NOC
to argue with him. That made it quite easy to click the right buttons
while the guy stood up to call his supervisor in to try convince us (me
and my boss) that yes, he knew what he was doing, he had an MCSE and a
CCNA after all, etc.
Is there some really good "network security for dummies" book that I
can point such people at? Telling them to google doesn't do much
good, I fear 
srs
not that I'm a fan of any firewall product in particular, but...
> http://xforce.iss.net/xforce/alerts/id/162
> http://xforce.iss.net/xforce/alerts/id/163You know, I'm quite allergic to that word "checkpoint". Perhaps I'm
completely wrong here, but ..Might be a good idea to deploy openbsd firewalls instead of expensive
and buggy stuff like CheckpointAnything which reduces "security" to point and click on a cute web or
other GUI interface is dangerous... allows untrained and completely
Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault
with the vendor or the person(s) implementing or the 'management' of said
person(s)? Even an openbsd firewall is a problem if not properly admin'd.
That idiot basically saw lots of inbound traffic to port 22 on our
machines, didn't know what the hell that was, and firewalled port 22
across the ISP's network.
port 22 is bad though, right? Clearly this was the wrong person to be
doing this job, he could have just as easily been looking at netflow
output and dumped this traffic with an acl on his fancy router... The tool
used is immaterial, his level of clue is what is at issue.
while the guy stood up to call his supervisor in to try convince us (me
and my boss) that yes, he knew what he was doing, he had an MCSE and a
CCNA after all, etc.
there is a dilbert about this very thing 
"Harness the power of
CERTIFICATION!!!"
Is there some really good "network security for dummies" book that I
can point such people at? Telling them to google doesn't do much
good, I fear
Nope, but pointing out their failures in a sensible manner to their
management is helpful... sometimes atleast Failing any action there the
whole group is just shooting themselves in the foot and there isn't much
you can do about that, is there? (except to get out of the blast radius)
Christopher L. Morrow [2/5/2004 10:45 PM] :
Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault
with the vendor or the person(s) implementing or the 'management' of said
person(s)? Even an openbsd firewall is a problem if not properly admin'd.
of course, but you do have to contend with the fact that it takes at least some amount of IQ beyond the point and click level to fire up vi and use a command line interface.
Neal Stephenson's "in the beginning was the command line" is an interesting take on this, I think.
Nope, but pointing out their failures in a sensible manner to their
management is helpful... sometimes atleast
whole group is just shooting themselves in the foot and there isn't much
you can do about that, is there? (except to get out of the blast radius)
Actually, the problem is that when dealing with a bunch of know it alls like that, even waving manufacturer's documentation in front of them doesn't really help
Like my friend's cable ISP, that recently turned on "smtp fixup" on a cisco pix on port 25 across their entire network. He's got a static IP, runs linux + postfix, and is still left with a completely crippled mailserver (no AUTH, no TLS, no ESMTP ...) thanks to this. Waving cisco docs at them doesn't seem to have helped at all. [Moving is tough, they are the only broadband in the bangalore suburb where he lives]
Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service disruption (I
saw 1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...
All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.
PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -
Why not? People really need such book!
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service disruption (I
saw 1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -
Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and firewalls@greatcircle.com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.
Now PIX is quite good, and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.
Interesting how things change isn't it?
again, not that I care about the vendor in question.. BUT
Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
wrong, get nokia's run checkpoint on them, they do VRRP natively, it
rocks... does stateful failover so you can't even tell when one dies.
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
this actually works well, provided you config it correctly, there is an
example for pix/CP vpn config at:
http://www.phoneboy.com/bin/view.pl/FAQs/VPNsBetweenFourOneAndCisco
not that phoneboy should be anyone's substitute for support on the cisco
or CP side, of course.
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...
right, this is actually a huge problem for MSSP's, having to do everything
via a gui is bad
A "social" approach is often more effective than the "technical" approach i.e. it is often easier to hack into a secured system via "social hacking". In a similar vein, while I have no idea if it's "good", but I bet it would be satisfying *and* effective (no matter if he actually reads the book or not) to buy a copy and give it to the luser^W idiot ^W NOCling in question:
<http://www.cobb.com/chey/Network_Security_for_Dummies.html>
You could take a cluebat[1] along when you give it to him. A bit of carrot and stick approach.
jc
[1] <http://ars.userfriendly.org/cartoons/?id=20030210&mode=classic> UF was actually selling these for a while, unfortunately they are all sold out now.
Martin Hepworth wrote:
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our customers use), I have an impression, that it is
the worst firewall in the world:
- for HA, you need very expansive Solaris cluster (compare with PIX-es) /I
can be wrong, but it is overall opinion/.
- to change VPN, you must reapply all policy, causing service disruption (I
saw 1 day outage due to unsuccesfull Checkpoint reconfiguration);
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default;
of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers
which have this problem);
- Configuration is not packed in 1 single file, so making difficult change
control, etc etc...All this is _very_ subjective, of course; but - those customers, who uses
Checkpoints, are the only ones who had a problems with firewalls. If I
compare it with plain, reliable and _very simple_ PIX (PIX is not state of
art, of course) and some others... I begin to think about checkpoint as
about one more _brand bubble_. At least, I always advice _against_ it.PS. Security for dummies... interesting idea. Unfortunately, this book
should start with _100% secure computer = dead computer_ -
Why not? People really need such book!Of course 'back in days' when Firewall-1 started and firewalls@greatcircle.com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.
Now PIX is quite good,
Is it still very counter intuitive to set up a PIX to _not_
do the eevul NAT? Is the PIX no longer PeeCee hardware underneath
(I know they got rid of the HDD) so not as to bring NOs down to the
level of the great unwashed throngs of desktop users?
and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.
Interesting how things change isn't it?
At least Checkpoint had the sense to kill the FWZ VPN protocol
early and go with IPsec. More than I can say for M$. Not that
IPsec interoperability is fully realized. Checkpoint has its own
proprietary icky tricks to try to sneak IPsec through NAT just
like every other commercial vendor. But Checkpoint admins are
worst part, "I check the box to use IKE VPN but someone said that
uses the ESP service. Which port number is that? I read port 50
somewhere, but should I make it a TCP or UDP service?"
The Checkpoint feature/bug that frustrates me is at the GUI
level there is no association between a rule and an interface.
To cover up this problem, there is the automatic "anti-spoofing"
feature which is a bitch, if not impossible, to properly configure
for a complicated topology.
Is it still very counter intuitive to set up a PIX to _not_
do the eevul NAT? Is the PIX no longer PeeCee hardware underneath
(I know they got rid of the HDD) so not as to bring NOs down to the
level of the great unwashed throngs of desktop users?
Of course, PIX is still a CISCO - this means _configure it by cisco's
example and modify, do not write out configuration from the scratch_ (Cisco
have a very bold history of different bugs and behaviours, such as 'VoIP
requires 'ip routing' on 36xx and 53xx'). But, after all, it works without
major problems, and became very easy to manage (I have automatic
configuration repository with web interface, CVSWEB archive, and so on - and
it always take 1 minute to save config, check config, check changes happen
during last week, revert configuration back, even to update PIX OS in
redundant environment). For Checkpont owners (we have some legacy in
company), it is a very complicated (often impossible) process.
Security advisories are another issue, but I'd expect more about Checkpoint,
stating that it is based on general OS.
On PIX'en and FWSM it is very easy to disable the evil NAT all you
need is to enter the "nat 0" command in global configuration mode. This
allows the PIX to pass addresses untranslated.
The Pixen are still based on intel hardware but to the best of my
knowledge they have never had a HDD and I have worked with them since the
original PIX and PIX 10000 I attended the initial product announcement
seminar they first came out.
Scott C. McGrath
Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities
Vendor Notification Schedule:
Vendor notified - 2/2/2004
Checkpoint patch developed and made available - 2/4/2004
ISS X-Force Advisory released - 2/4/2004
Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
Vendor Notification Schedule:
Vendor notified - 2/2/2004
Checkpoint patch developed and made available - 2/4/2004
ISS X-Force Advisory released - 2/4/2004
Isn't it curious that two unrelated issues have been reported to CheckPoint
at the same day and the patches came out on the same day ?
Am I too paranoid, or it seems that CheckPoint had previous knowledge of the
bugs and they agreed with ISS which date would be stated as notification to
CP to make it appears that a quick response (two days) has been achieved on
those issues ?
Rubens
Rubens Kuhl Jr. wrote:
Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities
Vendor Notification Schedule:
Vendor notified - 2/2/2004
Checkpoint patch developed and made available - 2/4/2004
ISS X-Force Advisory released - 2/4/2004Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow
Vendor Notification Schedule:
Vendor notified - 2/2/2004
Checkpoint patch developed and made available - 2/4/2004
ISS X-Force Advisory released - 2/4/2004Isn't it curious that two unrelated issues have been reported to CheckPoint
at the same day and the patches came out on the same day ?
Am I too paranoid, or it seems that CheckPoint had previous knowledge of the
bugs and they agreed with ISS which date would be stated as notification to
CP to make it appears that a quick response (two days) has been achieved on
those issues ?
Uh... yeah, that's how these things are _supposed_ to work. Did
you read the ISS advisory?
Checkpoint has released an update to address this issue. The update is
available at the following address:
Support Programs - Check Point Software
Vendor Notification Schedule:
Vendor notified � 2/2/2004
Checkpoint patch developed and made available � 2/4/2004
ISS X-Force Advisory released � 2/4/2004
ISS X-Force published this Security Advisory in coordination with the
affected vendor in accordance to our published Vulnerability Disclosure
Guidelines, available at the following address:
http://documents.iss.net/literature/vulnerability_guidelines.pdf