Re: AltaVista Firewall97

From: Roger Baker (bakerat_private)
Date: Sat Feb 27 1999 - 21:50:01 PST

Next message: Winfried Truemper: "Summary: Posix.1e"

Previous message: Thomas Roessler: "[mutt security] tempfile race in mutt"
Maybe in reply to: Jochen Thomas Bauer: "AltaVista Firewall97"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was one of a few beta testers outside Digital for Firewall98.  I
pointed out a year ago this problem in the beta.  Firewall98 was going
to be released with named 4.9.6.  I raised hell, and they shipped 4.9.7
with Firewall98.  This problem is not so much with Firewall97 as it is
with named.  CERT 97-5 addressed this.  To fix this problem you have to:

1)  Apply SP3 to Firewall97 to fix dnsd which connects the internal and
external named's together.  There is a bug in pre-SP3 dnsd.  As was
pointed out you still have to upgrade named to 4.9.7.

2)  Better yet upgrade to Firewall98 which fixes this problem.  Remember
that older software is more likely to have bugs.  Firewall98 is more
stable than Firewall97.  The UNIX version of the Firewall97 was having
problems with DNS.  Firewall97 on DU brought secure DNS into the
product.  This was quite a step.  There is no comparison between
Firewall97 and Firewall98 on NT.  Run, don't walk to Firewall98 if you
use NT.

3)  The best solution is to upgrade named to 8.1.2.  This breaks the
installation scripts, but they were not good for DNS anyhow.  The
scripts do a poor job of setting up the MX records.  I point out 8.1.2
during the beta, and they said that they would try to put it in the next
major release.  No promises though.  The people in product support
recommend 8.1.2.  There is no fancy GUI for this; just UNIX.

This illustrates a major bug of mine.  Security is not a product, but
the person managing the product.  A good product, and IMHO AltaVista
firewall is one of the best, poorly installed will not work right.
Security products are for the seasoned professional.  For AltaVista (or
Sun or Cisco) to make changes to their product requires that they spend
a few miilion dollars on regression testing.  A knowledgable manager can
make the changes now.

BTW, I know some of the folks in Engineering, and they are very good.
Sometimes their hands are tied because whatever they say can legally
bind the company.  The Chief Engineer, Jeff Needle, follows the security
products well.  You are not going to get much support if you do not have
the latest version with the latest patches.

DO NOT USE the standard DU patches.  One of them, I don't remember which
one, breaks the firewall.  The release notes tell you this.  I you need
help contact me off line, and I will be glad to help you.  I know the
AltaVista security products very well, and the people in Engineering
know me.  I am an independent consultant that often uses AltaVista
products.  The next major release of DU will probably include the
firewall drivers as part operating system.  YMMV

Roger Baker
bakerat_private

Next message: Winfried Truemper: "Summary: Posix.1e"
Previous message: Thomas Roessler: "[mutt security] tempfile race in mutt"
Maybe in reply to: Jochen Thomas Bauer: "AltaVista Firewall97"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:56 PDT