From: Frank Willoughby <frankw@in.net>
Date: Tue, 23 Jul 1996 01:15:49 +0800
To: vin@shore.net (Vin McLellan)
Subject: Re: Firewall Penetration
Message-ID: <9607221207.AA14558@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain


At 10:09 PM 7/21/96 -0400, you wrote:

>Frank Willoughby <frankw@in.net> wrote:
>
>>FWIW, of @70 firwalls on the market, only @5 are adequate to protect
>>a company from the hazards of the Internet.
>
>        Ah, Frank,  are you talking here about session hijacking and is
>end-to-end crypto the defining factor of the robust five?

Of course (Vin already knew the answer).  8^)  

To answer the other questions posed on this list, the vendors who are
relatively immune to the above attacks AND are Application Gateway type
firewalls are: (in alphabetical order):

 Digital's Firewall for Unix - *IF* the IP Encryption Tunnel is also used
 Raptor's Eagle
 Technologics' firewall (This is a stretch.  They claim they have encryption,
        but I'm not wild about the implementation) 1/2 a point
 TIS Gauntlet
 V-One's SmartWall

Interestingly enough, the reason the 5 are so robust is that they employ 
user->firewall encryption to help prevent session hijacking attacks.
FWIW, session hijacking isn't a theoretical attack.  It is a serious 
threat and (sadly) it's as simple as "point & click".

Another plus for good crypto - it not only helps protect the privacy
of data, it also helps prevent some types of hacking attacks.

Anyone can do firewall->firewall encryption (and most serious vendors 
do).  The hard part is getting the user->firewall encryption part to 
work well.  Again, as stated in my previous mail, my company doesn't 
sell firewalls, so I can call things the way I see them.

As the above list will probably draw the flames of firewall vendors 
who feel insulted that they aren't part of the list, I think it would 
be best to move this topic over to the firewalls mailing list (where 
it really belongs).  See you there.


>        Suerte,
>                        _Vin
>
>         Vin McLellan +The Privacy Guild+ <vin@shore.net>
>      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
>                         <*><*><*><*><*><*><*><*><*>

Best Regards,


Frank
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist