FEATURES & COMMENTARY
San Diego, CA — David Raikow reports that an audience of several hundred network security professionals watched with rapt attention last week as a trio of hackers repeatedly penetrated one of the industry’s most trusted and popular firewall products – Checkpoint Software’s Firewall-1. The demonstration, presented at the “Black Hat” security conference in Las Vegas, challenged the widely accepted notion that firewalls are largely immune to direct attack.
The panel – John McDonald and Thomas Lopatic of German security firm Data Protect GmbH and Dug Song of the University of Michigan – identified three general categories of firewall attacks. They began by demonstrating a number of relatively simple techniques by which an attacker could impersonate an authorized administrator, and thus gain access to the firewall application itself. A second type of attack tricked the firewall into believing an unauthorized Internet connection was actually an authorized virtual private network connection. Finally, the panel exploited a number of errors in the process used to examine traffic passing through the firewall to sneak in dangerous commands.
While their presentation focussed on a single commercial firewall product, panel members repeatedly emphasized that most firewalls are vulnerable to the types of attacks demonstrated. “The problem is not just with [Firewall-1],” said Song. “The real problem is the blind trust most people place in their firewalls.”
Greg Smith, Checkpoint’s director of product marketing for Firewall-1, pointed out that many of the attacks demonstrated relied on improper firewall configuration, and he asserted that they presented little practical threat. “Not a single customer has reported a problem with any of these issues.”
Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in developing defenses against the attacks, which they released as part of Firewall-1 Service Pack 2 immediately following the demonstration. Checkpoint emphasized that the service pack should prevent all of the attacks discussed, even those dependant on misconfiguration.
The panel also recommended a number of additional steps for “hardening” firewalls, including use of strong authentication protocols, “anti-spoofing” mechanisms and highly restrictive access rules. At the same time, they called on the IT community to abandon the “single firewall” model of network security and implement multiple lines of defense.
However, one observer of the session, employed by a network switch manufacturer, thinks Checkpoint lost some credibility over its products. “Some of the exploited areas were because of dumb programming mistakes in the code for the firewall itself. If the [firewall] programmers can’t get it right, what other problems may still be lurking?” he pondered.