[8316] in bugtraq
Re: Firewall-1 Security Advisory
daemon@ATHENA.MIT.EDU (David S. Goldberg)
Tue Oct 27 15:22:30 1998
Date: Tue, 27 Oct 1998 13:06:21 -0500
Reply-To: "David S. Goldberg" <dsg@MITRE.ORG>
From: "David S. Goldberg" <dsg@MITRE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Mnemonix's message of "Tue, 27 Oct 1998 09:47:36 -0000"
> So the closest thing to a warning, comes not in the manuals that
> come with the software - but you have to pay to go on a course for
> this info. I may be wrong about this - if you know of any other
> place where this is documented please let me know.
The "Managing Firewall-1 Using the Windows GUI" book that comes with
the firewall (both in hardcopy and pdf on the CD) covers this in
Chapter 8. In Chapter 9 (page 170 in my copy) they list in order the
bits a packet is matched against.
Unfortunately, this documentation is insufficient. They don't give
any advice as to the implications of doing DNS and ICMP before the
rule base. In spite of what they might consider a complete
description of how it work, it's easy to miss the security implication
of their default settings, especially when they declare some things
essential, making it seem to the administrator that she'd better leave
the services wide open rather than handle them explicitly in the
rules.
--
Dave Goldberg
Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
Phone: 781-271-3887
Email: dsg@mitre.org
