Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PIX vs its competitors

from [Chris Brenton] Network Security [Permanent Link]
Subject: Re: PIX vs its competitors
Date: Tue, 22 Mar 2005 16:26:35 -0500 
On Mon, 2005-03-21 at 23:57, Vladamir wrote:


Sorry if this has been beaten to death, but I haven't found a decent 
comparison on google, does anyone have information about how PIX fairs 
against its competition?


This really depends on what you are looking for and what kind of
insecurities you can live with. All firewalls have their weaknesses.

For example I just did a round up for some material I'm working on. The
firewalls I used in the comparison were:
Checkpoint FW-1 4.5.57.S
Cisco PIX 6.3(3)
Juniper Netscreen 5.0.0r8.1

While the PIX did pretty well, its Achilles heel is ICMP. The device
*still* does not perform proper stateful inspection of ICMP. This makes
it pretty easy to setup a covert communication channel through the box
based on ICMP error packets. I also noted that it frequently makes
mistakes when logging the ICMP type/code.

FW-1 on the other hand logs very little (found it properly dropped but
would not log tiny frags, source route packets, source IP of loopback,
etc, etc.). It also happily passes TCP ACK packets even when a state
session for the packet does not exist. Yet another covert communication
channel possibility.

Netscreen did a horrible job of dealing with fragments (sometimes it
would work fine, sometimes it would pass illegal frags but drop legit
frags). It would also pass source routed packets to an open port,
permitting that internal system to be turned into a potential bounce
host.

Beyond the above, these firewalls did pretty well in my testing. You can
see what I mean however, just about any firewall you use is going to
have some kind of "problem". Its just a matter of what you can live with
or possibly reinforce with another security device.

HTH,
Chris



--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
 
NEW NetOp Desktop Firewall, the world's first driver-centric 
firewall software - protecting your laptops and corporate PCs at  
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back 
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PIX vs its competitors, Ivan Coric
Next by Date:  Re: PIX vs its competitors, Roman Fomichev
Previous by Thread:  Re: PIX vs its competitors, Piotr Derda
Next by Thread:  Re: PIX vs its competitors, Roman Fomichev
Indexes:  [Date] [Thread] [Top] [All Lists]