Re: AltaVista Firewall97

From: Jochen Thomas Bauer (jtbat_private-STUTTGART.DE)
Date: Mon Mar 01 1999 - 03:07:01 PST

Next message: Arthur: "[0z0n3] XCmail remotely exploitable vulnerability"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 27 Feb 1999 Roger Baker <bakerat_private> wrote:

>I was one of a few beta testers outside Digital for Firewall98.  I
>pointed out a year ago this problem in the beta.  Firewall98 was going
>to be released with named 4.9.6.  I raised hell, and they shipped 4.9.7
>with Firewall98.
[...]
>2)  Better yet upgrade to Firewall98 which fixes this problem.  Remember
>that older software is more likely to have bugs.  Firewall98 is more
>stable than Firewall97.

According to updated information about the BIND problem available at

http://support.altavista-software.com/kb/solutions/firewall/general/259-042398.asp

Bind 4.9.7 was shipped as part of AltaVista Firewall 98 for DIGITAL UNIX but
inadvertently was not being used. So, after upgrading to Firewall 98 you will
probably have to follow the instructions given on that page to enable the use
of BIND-4.9.7.

One more thing:
IMHO I think that Firewall97 (what about Firewall98 ?)lacks a "linux-style"
interface packet filter. The currently implemented interface packet filter can
only filter packets by their IP source address to prevent IP spoofing attacks.
The next layer is the screend (screening daemon) running on the firewall that
decides whether to forward a packet or redirect it to a proxy server or not
based on IP source/destination address, protocol and source/destination port of
the packet (this corresponds to the forwarding rules on a linux packet filter).
However, unlike the linux packet filter the Firewall97 interface packet filter
can not be used to protect the firewall itself by specifying appropriate input
rules based on IP source/destination address, protocol and source/destination
port. Thus, all the network daemons running on the firewall that are used only
by localhost (e.g. named and some authentication servers on Firewall97) are
unnecessarily potential targets. Maybe I'm a bit paranoid, but I think that in
computer and network security one should not rely on any software to be free of
security relevant bugs.

--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany

PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html

Next message: Arthur: "[0z0n3] XCmail remotely exploitable vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:57 PDT