While Checkpoint issues service pack to address vulnerabilities,
hackers warn against placing too much faith in firewalls.
By David Raikow,
Technology Editor, Sm@rt Partner
2, 2000 - Copyright
An audience of several hundred
network security professionals watched with rapt attention
last week as a trio of hackers repeatedly penetrated
one of the industry's most trusted and popular firewall
products--Checkpoint Software's Firewall-1. The demonstration,
presented at the "Black Hat" security conference
in Las Vegas, challenged the widely accepted notion
that firewalls are largely immune to direct attack.
The panel--John McDonald and Thomas Lopatic of German
security firm Data Protect GmbH and Dug Song of the
University of Michigan--identified three general categories
of firewall attacks. They began by demonstrating a
number of relatively simple techniques by which an
attacker could impersonate an authorized administrator,
and thus gain access to the firewall application itself.
A second type of attack tricked the firewall into
believing an unauthorized Internet connection was
actually an authorized virtual private network connection.
Finally, the panel exploited a number of errors in
the process used to examine traffic passing through
the firewall to sneak in dangerous commands.
their presentation focussed on a single commercial
firewall product, panel members repeatedly emphasized
that most firewalls are vulnerable to the types
of attacks demonstrated. "The problem is not
just with [Firewall-1]," said Song. "The
real problem is the blind trust most people place
in their firewalls."
Greg Smith, Checkpoint's director of product marketing
for Firewall-1, pointed out that many of the attacks
demonstrated relied on improper firewall configuration,
and he asserted that they presented little practical
threat. "Not a single customer has reported a
problem with any of these issues."
Nevertheless, Checkpoint worked with McDonald, Lopatic
and Song in developing defenses against the attacks,
which they released as part of Firewall-1 Service
Pack 2 immediately following the demonstration. Checkpoint
emphasized that the service pack should prevent all
of the attacks discussed, even those dependant on
The panel also recommended a number of additional
steps for "hardening" firewalls, including
use of strong authentication protocols, "anti-spoofing"
mechanisms and highly restrictive access rules. At
the same time, they called on the IT community to
abandon the "single firewall" model of network
security and implement multiple lines of defense.
However, one observer of the session, employed by
a network switch manufacturer, thinks Checkpoint lost
some credibility over its products. "Some of
the exploited areas were because of dumb programming
mistakes in the code for the firewall itself. If the
[firewall] programmers can't get it right, what other
problems may still be lurking?" he pondered.