Firewall + Censorware = Trouble 72
Is your company thinking of buying a firewall that comes bundled with
blocking software? Think twice.
SecurityFocus ran
thisstory
earlier this week:
"Censorware gaffe turns 'World's Most Secure Firewall' into an open door."
Turns out that bundling Cyber Patrol with Network Associates'
Gauntlet
meant creating a custom server that "contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world" - so intruders could get root on the firewall. Makes sense to me: firewall designers keep security uppermost in mind; censorware designers don't. Update 8:55 AM: BusinessWeek is calling it
"The Breach That's Shocking the Firewall Industry."
Censorware designers not to blame (Score:2)
It is actually the firewall guys that screwed up, not the censorware. So censorware is just a bad idea for the other 101 reasons, not security.
On a side note, does anyone actually read the stories before they are posted?
naturally... (Score:1)
As a general rule kludged and patched together software usually doesn't work well. BUT you can make a well detailed design that is readily expandable and extensible... ie Apache is designed to be patched together and works well.
The folly here is taking two unrelated products and "slapping" them together. I intuit that "Cyber Patrol" was never designed as a module for the "Gauntlet" firewall... neither was "Gauntlet" designed with a product like "Cyber Patrol" in mind.
The fundamental problem here lies in the design phase of the project... the integrated system design model should have had an over-arching security function point to handle buffer attacks. The problem is compounded by the fact that the Risk Management analysis apparently missed this possibility (buffer overrun), and that the Testing Phase didn't think of testing in this area (buffer overrun attacks).
ye gods! I actually learned something in school! Wait a minute... does technobabble count as learning?
--// Hartsock
look whose talking (Score:1)
Re:Once you've got root access on their firewall.. (Score:1)
...you had read the article. (Score:2)
as overrated?
This is a major firewall product. This major firewall product comes with trial software that creates a hole in the one feature which is the only reason to buy the product. It is a major gaffe and is newsworthy. The fact that it involves Censorware is merely additional irony.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Re:Where do I get that list? (Score:1)
Re:NAI's Trusteeship of Gauntlet (Score:1)
- In my experience and opinion, technical support has definitely taken a turn for the worse. It has become so worthless, IME, that the company I work for doesn't plan to necessarily renew our support contract for the product.
I have to confirm the above; I'm a programmer with a security and sysadmin background who was hired as the second techie at a small startup. My first sysadmin assignment was to get a firewall up; I chose Gauntlet on its technical merits (I prefer proxy firewalls if the threat level is high), availability of source, reputation, and cost (we could run it on a slightly old PC with BSDI (for which source is also available), which will soon not be an option).I had the misfortune to do this just as NAI bought TSI. Right at that time the tech support we received was unacceptable: we would be 50th or 80th in line, and it would take over half a week for an engineer to get back to us. They were also very difficult when we requested source; from posting I'm replying to, it would appear they now officially don't do this.
One of my coworkers knew someone involved in the takeover; after plying him with drinks, he got him to admit that Network Associates had "gutted" TSI (perhaps they were following the MO of Computer Associates, which is notorious for buying companies and getting rid of most of the technical staff; I had a friend using Ingres when CA bought them, you might remember the Unix World article with "fall of Saigon" picture).
NAI implicitly admitted this, saying they were hiring engineers at a high priority, and gave some excuse for why they needed to (perhaps they moved their tech support center? I can't remember the details now).
Bottom line: for me, recommending a NAI product turned out to be a severe career limiting move, since the firewall was a very visible thing due to the nature of the company's business.
Re:Its about complexity, not censorware (Score:2)
That's a good idea. Another good idea is to do a simple ``netstat'' dump of listening sockets on the firewall. I hope that any firewall admin is already doing this--it is an important check that things are as you intended them to be. Any program which cannot bind to specific interfaces has no business on a firewall. It certainly shouldn't call itself a ``proxy''.
I know the first time I ran ``netstat -l'' on a RedHat 6.1 system I was quite surprised by the cruft hanging around. Before that machine took on its firewall/masq duties, all those unwanted daemons were removed.
Exactly. Applications on a firewall?! WTF? (Score:1)
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:Not a +5 comment bro.... (Score:1)
I wouldn't have moderated this up either. I didn't think it was that good of a comment. I was just making a philsophical observation that was slightly off topic.
But I do think that I made a good point. Software made by companies with evil management (and all companies have evil management) and companies that make software with social purposes, don't make software that is inherently technically flawed. If you look at Slashdot, or even Sun's CPR, that seems to be an unspoken assumption.
If it would make people feel better, moderate my defense of myself down to -1, Offtopic; and then I will end up with even Karma from the whole experience.
Re:Same story, different message (Score:1)
And yet, somehow, your point of view is superior?
If you don't like the article then don't read it. It's that simple, I promise you.
Re:Bugs happen. But Trialware In The Firewall?!? (Score:1)
$FIREWALLS -ne $SECURITY (Score:1)
I am not convinced that any firewall scheme is usefully secure in a business environment. Many attacks come from within; you can't assume that any connection from within the perimeter can be trusted. It's better to use cryptographic security than to rely on a firewall.
--
I used a Firewall/Censorware package (Score:2)
But as a censorware package, it had a lot to be desired. I wanted to visit my own web site, http://www.amazing.com . "This site has been blocked by SonicWall". Fine, maybe my site has wierd stuff on it someplace, it has so many pages, how can I even tell nowadays? So I added my site to the "let through anyway" list and went on.
Then I tried visiting http://www.freshmeat.net/ to get some software for my Linux box.
"This site has been blocked by SonicWall"
In a moment of pure anger, I shut off filtering and rebooted the SonicWall. End of problem.
D
----
Criticising Mattel's Love and Joy? (Score:1)
Re:Bugs happen. But Trialware In The Firewall?!? (Score:2)
Unsure this is tair. We're talking about an app that needs to do a raw interface sniff through something like BPF, and then make decisions based on that sniff regarding whether or not to *actively* forward the individual packets through frames on the internal interface. This app is using entirely tainted data--everything it receives is untrusted content. Root or not, any compromise of the firewall code would be required to grant the capability to forward arbitrary packets to the internal network, which directly contravenes the stated purpose of the firewall itself.
In short, the coders can't be blamed on a permissions level--it's conceptually impossible for the most of the serious damage to have been prevented "if only the app wasn't root". About the best I can imagine is if the execution context of the firewall didn't share read/write access to the storage medium of the firewall code. That prevents long lasting trojans, at the expense of reducing the number of sites that will upgrade their firewalls.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Same story, different message (Score:2)
I think my usage falls neatly under # 2 and #3. Damn, do you all have to make me keep reliving my failures in English class???? 8^}
There is some justice here... (Score:1)
Re:Same story, different message (Score:1)
"Ireland hates England, but ends up copying England" is incongruous and ironic.
"Ireland hates England, and tries to do everything the opposite, and winds up exactly copying France" is also incongruous, but it is not ironic.
the tone I used before was a bit too harsh (sorry!), but I'm just bitter because I'm particularly annoyed at political uses of irony. Consider: "it is ironic that people who are anti-abortion call themselves pro-life, and yet they favor the death penalty." That's not really irony, it is more akin to hypocrisy. Except, it's not hypocrisy, either. Because, consider "it is ironic that those who object to capital punishment for murderers, have no objection to killing fetuses" or "those who are in favor of legal abortion call themselves pro-choice, yet they tend not wish abortion law to be left to the choice of the voters, nor do they demand that the FDA give women control of their own bodies when it comes to breast implants." And those who demand "reproductive freedom" don't seem to come out in favor of human cloning themselves.
So, I'm not trying to start an argument on those issues either, but if you did want to start, start by saying what you believe and why I should believe it, and avoid pointing out how true believers can't see the other side.
Re:Misleading article (Score:1)
--
Binary poison. (Score:5)
The most secure systems are generally speaking, the simplest. It should be obvious that the fewer things a system has to do, and the fewer ways of doing those things, the less chance there is for there to be a security hole (or any other kind of flaw).
Obviously, some for applications it's better to have some 'more-than-one-way-to-do-it'. Firewalls do not fall into this category.
A Firewall should be there for one purpose, and one purpose only: to control access to a network. Adding features like cyberpatrol was asking for trouble. If you want cyberpatrol software, install it seperately, behind the firewall, so that they can't interfere with each other.
Re:So use squid for your censor-ware (Score:2)
...phil
Censorware = Trouble (Score:1)
(THUS, mathematics tells me that Firewalls must be equal to 0....)
Equations... (Score:4)
Hmm...
Mozilla x (Perl + Python) = New IDE [slashdot.org]
Firewall + Censorware = Trouble [slashdot.org]
It seems the million dollars for solving mathematical puzzles [slashdot.org] is preying on the minds of the Slashdot folks....
dylan_-
--
Re:Would this be newsworthy if... (Score:1)
Well, if you read the article you should have noticed that they say that the censorware product is installed by default, and it automatically turns itself off after 30 days if you don't pay. My interpretation of this is that it is active in the default install and unless you specifically turn it off it will be active for 30 days. (I could be wrong, of course. Maybe it has to be turned on manually... I don't know.)
So, in case it is actually on by default, then it is a major security hole!
- A
Firewall bugs (Score:2)
... quite "extreme", some of them, too. I wonder which URL gets logged -- they one you asked for, or the one it delivers.... scary.
Its about complexity, not censorware (Score:5)
In fact, this is the first remote-root exploit in a commercial firewall in a long time and it is due entirely to the fact that commercial vendors are under pressure by the market to throw the damned kitchen sink into their products. Firewalls need to be simple enough to be auditable. Simple enough to be understandable by a human at a time and place by herself.
Commercial firewalls like Checkpoint's FW1 and Gauntlet (among many other offenders) are selling like hotcakes for bad reasons. Smart organizations are implementing simpler solutions like OpenBSD-based ipfilter (Darren Reed's well-tested stateful packet filtering running on Theo Raadt's well-audited kernel). They are then (as other folx have suggested) supplementing with things like squid for proxying (and hopefully on a box separate from the firewall!) and even still using things like the TIS toolkit (now from NAI but originally authored by Marcus Ranum. Smart organizations run secure MTAs like qmail and do virus filtering on the mail server only if they have to (it's a task better taken care of at the client, IMHO).
These are not fancy tools, but they perform their objectives simply enough that they can be trusted.
Security should not be about features, ever. It should be about verifiability and trustworthiness.
Why are we not supprised? -- wrong reason!! (Score:2)
Hashing the CyberNot list is not the issue. It is designed for speed, not security. If the list access was slow, it would make the product useless, if you had to wait an addition .5 seconds on every lookup. Hashing the list was probably meant as a prevent someone from taking the list and selling their own product (a filter, or a list of XXX sites). Using the same hash for the password was just plain lazy/sloppy!
Re:Would this be newsworthy if... (Score:2)
Back when I worked for Norman Data Defense on their firewall product (which failed, so don't wonder if you never heard of it) they wanted to add in CyberPatrol. I screamed and yelled at management that this was an incredibly stupid thing to do, that it would be a huge gaping security hole to run sofware that we couldn't control on the firewall box.
(Disclosure: I used to work at TIS (though not on Gauntlet) and own Network Associates stock.)
The Key is Product Testing (Score:2)
This is true if you are informed by your own people that your product has a flaw. If you are informed by a client, hang your head in shame. The whole point of a firewall is security that should be tested and retested and broken and fixed before it is released.
What a black eye for NAI's reputation ...
Re:look whose talking (Score:1)
Debian?
Not to mention that Linux is just a kernel....
This is something I would expect from one of those AC Microsoft employees that are paid to troll slashdot.
Re:Bugs happen. But Trialware In The Firewall?!? (Score:1)
"Firewalls" (really a misnomer when you talk about single box solutions) should have the absolute minimum of accts, and being as services are also a bad idea, system accts must also be minimal.
I don't know the details but according to the article _I_ read, the exploit allowed you to _get_ root access via a modified buffer overflow, so in all likelihood it was a suid program.
I think there would be some agreement if I stated that the policymakers have the power to override any objections the coders might have raised (assuming the were even informed of the bundling beforehand)
Not a +5 comment bro.... (Score:1)
Security is the overriding issue here and Gauntlet is a widely used product.
The fact remains that a poor decision was made by NA management that had a detrimental effect on the efficacy of the product, placing a large number of customer (who paid a goodly sum, I might add) at risk.
Sum this with the fact that NA has been lax WRT informing their client base of the problem that _they_ (NA management) created by placing marketing concerns over quality.
If Glowing Fish makes assumptions about what he assumes
Maybe I should be more steamed with
I can see why the current system was chosen so I won't argue with it, but it really bothers me that many of those who chose to moderate do so with their _own_ agendas instead of trying to be objective.
You can flame me if you want, and I wouldn't be surprised if I got moderated down enough to get my acct yanked over it but, seriously, how the hell can you guys rank this a 5? I knocked off a point for being overrated and two minutes later it's back at the top of the pile. I mean, the poster considers _root_ exploits on a widely used security product not "a major hole", but because he discerns this merely as
Moderation was put in place because some people chose to be unruly but the mob mentality that it generates is really a shame, basing it purely on a participation basis really falls short of the ideal.
Just to be clear, I support peoples right to disagree, and I support their right to have an opinion of what is worthy of merit. I'm not saying GlowingFish doesn't have right to be heard or be critical of
Mark this post into oblivion if you feel the need to, I feel better after spouting off so I still win.
Alternate URL (Score:1)
For those of you saying, "Story? What story?" it can also be reached minus frames and ads, and/or while using a proxy like Internet Junkbuster [junkbuster.com]. But disable JavaScript before you read the story here [securityfocus.com].
Re:...you had read the article. (Score:1)
I did, and it went right back up. I had a nice rant over it.
I suppose I could have sent Rob an email, but we should really police ourselves a little better.
Misleading article (Score:4)
Please, let's be clear on this: There *are* Firewall/Censorware pacakges that don't automatically create security holes in your network.
Some are even good censorware, like using junkbuster in conjunction with a firewall to reject evil cookies and filter unwanted ads, and repel crackers.
It's amazing how much faster it is to surf without waiting for some silly ads to finish downloading, so you can see the rest of the page.
(Just my $0.02)
--
This makes me wonder... (Score:2)
Why are we not supprised? (Score:1)
Would this be newsworthy if... (Score:5)
This had not been a censorware product that caused the security hole? This doesn't seem to be a major security hole, it is confined to one specific firewall and one particular censorware product.
If Slashdot is trying to show a technical flaw, that is cool. And if Slashdot is trying to say that censorware is wrong\unethical, that is also okay. But by combining the two, what Slashdot seems to be subliminally implying is:
"Unethical" software is inherently techincally flawed.
Of course, no one would come out and say that, because it is totally ridiculous. But by showing examples, the idea is implanted.
Re:Misleading article (Score:4)
NewsFlash: Sendmail causes Unix to end world. Nuclear submarines may launch missles when fourteen-year-old crackers request it. This gives further proof that you can only trust closed mailing systems like Microsoft Exchange and wonderful Windows operating systems. Any other mail transport agent is insecure and liable to lead to the destruction of mankind.
Now, how many of you would be sitting back saying, "Yup. Right on! All open source Email systems are truely evil
Slashdot: News for paranoids, spreading the hysteria.
Re:Misleading article (Score:3)
I didn't see anything misleading at all. The article header tells it like it is. When they added in the CyberPatrol module, it added in a security breach. Not only that, it also setup an open proxy server. That's doubly bad.
What is truly pathetic about this is it's relatively simple to get rid of many buffer overflows by selecting languages and or libraries that range limit all IO. Using calls to routines like gets() and scanf() is asking for trouble. Even though they are standard C functions, they are also not safe due to their design. They don't limit the length of the data they store into buffers. C++'s standard IO routines also contain builtin buffer overflows. This is truly pathetic because it was well known that the non range limited IO routines in C were a security flaw long before C++ was invented. So what did they do, they perpetuated the problem by continuing to not do range limiting.
Where do I get that list? (Score:1)
speaking of the most secure firewall... (Score:1)
does this actually stop malformed or otherwise decided to be bad by policy network data? it seems to claim that each entire packet can be scanned for arbitrarily defined "evil data"
no offense, but i still dont see myself trusting the security of anything so critical on software i dont have source for, especially if its so complex. maybe im just silly/paranoid that way. i agree with the other posters about having other apps do the other tasks, but im also not into censorware. funny. never seen free or open source censorware....
NAI's Trusteeship of Gauntlet (Score:2)
- In my experience and opinion, technical support has definitely taken a turn for the worse. It has become so worthless, IME, that the company I work for doesn't plan to necessarily renew our support contract for the product.
- To me it seems NAI is more interested in adding "bells and whistles", such as "friendly" GUIs, add-ons like CyberPatrol, and improved performance and features under the Ms-WinNT version than it does improving and supporting the reliable, trusted Unix versions. (Indeed: they just announced End-Of-Life for the turn-key BSDI version.)
In other words: it looks to me like NAI is slowly turning Gauntlet into just another "me too", mass-market, point-and-click, Ms-Windoze-Pee-Cee-toy product. Which is really a cryin' shame! Gauntlet always took hits for being more resource-intensive and slower than competing products (it is a proxy firewall), but at least in the past you could always count on two things: you could trust it (I still do--but I wonder for how much longer?) and you could depend on competent tech support in a timely fashion. In short: Gauntlet was a firewall for power-Admins that had a clue! (Hell, they used to ship the thing with source! Patches actually patched the source, re-compiled and installedJust one (increasingly unhappy) Admin's opinion. Speaking for myself and not the company for which I work.
I have no matters (Score:1)
The lesson is: if you liberate the information, people tire to see that and turn to work, because it's more grateful than to see static pictures.
My 2 cents.
Re:speaking of the most secure firewall... (Score:1)
Wouldn't that be a feature of any stateful inspection proxy? Or am I misinterpreting staeful inspection.
ok (Score:1)
Re:Would this be newsworthy if... (Score:2)
See previous discussions on censorware. If you know the Wild Wild Web good enough you will immediately notice that censorware is not just wrong. It is technically unachievable and most companies trying to do it need a very heavy clue stick. Or are doing it for The Kids^H^H^H^HMoney only. Most if not all censorware packages vary between lame and ultra lame as both network knowledge, protocol knowledge and programming.
So tightly integrating a firewall package with software that is known to be lame by design is plain stupid. So is overfeaturing a firewall toolkit anyway. Simpler the better.
Also, I have personal doubts against the original article anyway. And they are:
Gauntlet has always been manufactured by a founder and promoter of the key escrow abomination
It has previous bad record. See BUGTRAQ archive. So I would not call it the most secure...
Re:So use squid for your censor-ware (Score:1)
Any well funded organisation that feels its morally superior I'd guess. Add a few set operators to allow people to block selections of lists (e.g. you could set it to block sites in the catholic church list and the anti pornography lobby list, apart from those sites about health issues, which would be supplied by a health organisation).
Companies that wish to use it could manage a combined list of undesirable sites. A system where the block list was supplied by anyone who wants to use it would be a lot more accurate than one produced by a single organisation.
Re:Its about complexity, not censorware (Score:1)
There is a _major_, IMHO , misperception that one box that does packet filtering == a proper firewall. I wouldn't necessarily disagree that its better than nothing (aside from a false sense of security != A Good Thing), but to make a car analogy (I know, I know, but thats why they call them "analogies"), a single box "firewall" is like riding in an airbag equipt car and figuring you don't need a seatbelt.
You can do all kinds of testing that shows good survivability, but testing isn't the same as production.
People need to learn the hard way, I guess.
More moderation spankage... (Score:1)
Redundant, huh? I guess cluefull-ness must be stomped.
hartsock, you are right on the money
Hey, maybe if I bitch enough I can get the automatic bonus point!
firewalls should only be firewalls (Score:3)
Unfortunately, in these days of consolidation and price sharing, nobody seems to be listening. I don't know how many requests I get a week from different people asking for different software to be installed on the firewalls ("Can we make the firewall a DNS server? SMTP server? NTP server?")
This also highlights another thing we in the security industry should be worried about: Bugs in code. With packages such as checkpoint becoming larger and larger, it is getting harder to keep track of the internals of exactly what is happening inside these security products. While it probably isn't feasible, it would be nice to have some sort of outside auditing done on the code, as a sanity check. Heck, open source it.
Also, this may make people take a closer look at firewall appliances such as the nokia. Having something that is pretty much a dedicated firewall solution (aka, stripped down OS, running nothing else but firewall) becomes more attractive.
So, the recipe for a good firewall is:
1) Install OS
2) De-install everything not needed to let the box run.
3) Harden OS (also, take a look at known security bugs for the OS you are running, it may save you grief in the long run).
4) Install firewall code. If you don't need some portion of the firewall, don't install/activate it! Also, RTFM. The release notes and web pages of the companies involved can save you trouble in the long run.
Of course, you need a little more than this to develop true 'network security', but this will at least help you get the firewall portion right.....
--Doc
Re:Not a +5 comment bro.... (Score:1)
If you look at my user info you can see I've been a long time reader, so yes, I do care that things get out of hand sometimes.
But hey, it's a slow day and I got caught up in the moment.
FWIW I hear you WRT the AC posting, I was going to do that with my original rant, but I figured, what the hell, somebody had to say it.
Buffer Overflows, Bad Interfaces both inexcusable (Score:2)
A separate problem is the complexity of the programming interface. I haven't seen it, but the descriptions in the articles sound like NAI had to do a lot of work to interface to it, enough that they did so unsuccessfully. But censorware's designed to be used in firewalls, so the interfaces need to be clean and well-documented, because you can't afford security mistakes here. There should be two or three parts to the interface - one that takes a URL and returns approve/reject, and one that provides administrative control over preferences, which is obviously more complex but should still be easy to do cleanly. The potential third part is processing the returned http itself (looking for dirty words or whatever), which is also hard, and needs to be cleanly designed so you can use it safely.
d Here's what I think (Score:1)
Synapses.
And loads of them, too, not just one or two. I'm talking about billions, if not trillions, of the little suckers pumping out neurotransmitter. Synapses are where learning takes place inside the brain as well as serving as the connections between neural dendrites and axons. Yep, if it wasn't for synapses I don't know *where* I'd be today.
/AGH agh don';t read this er AGAHH ok now somuch better NO agh the pain arrr I not no errrrr
aggh/
here's why I think
the buggers
the buggers they get inside you and they twist and crawl and i can feel them now they are eating away at my intestines and agh the pain they cause me every day the buggers wont someone help get the buggers out i need to get the buggers out out if it wasnt for them id be happy maybe
Re:speaking of the most secure firewall... (Score:1)
Regards,
Re:Why are we not supprised? (Score:1)
Bugs happen. But Trialware In The Firewall?!? (Score:5)
It's just a rather inconvenient failure for the Censorware industry that it was one of theirs that took the system down.
But there's a much more interesting failure, one that I don't really think has been paid enough attention to: It's not that Gauntlet had a security breach, it's that the breach came from 30-Day Trialware installed by default on a mission critical service.
If an app I choose to install turns out to have a hole, I'm more than willing to give the authors time to repair the hole. But if an app I *don't* choose to install turns out to install some other app with a hole, one I didn't realize would be installed by default, didn't realize would by default communicate my download logs to the central office(Hi Realnetworks! How's that Download Demon doing?), didn't realize was being shoved on me as a supposed freebie but as an actual privacy and security disaster...
Then the honesty that underlies every commercial reaction gets toasted.
I don't blame the coders for having a bug in their bridge code. I blame the policymakers for specifying that the bridge should be enabled by default. Such behavior is inappropriate for employee desktops; whoever made the call that this kind of sales strategy should be applied to the most security critical of product lines bears the responsibility for the disaster that ensued.
The only good to come out of it is that, slowly but surely, we're going to win Corporate America's support of industry codes of conduct as a last ditch defense against regulation. Some good, eh guys?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Would this be newsworthy if... (Score:3)
As for the association between the two; that's taking it even further.
For my money, it just shows that when you take two products with different end-goals and try to merge them, you may end up sacrificing some of each...just it seems the sacrifice has come from the wrong side.
So use squid for your censor-ware (Score:2)
Re:Would this be newsworthy if... (Score:3)
There are a couple of other options for what /.'s saying:
(1) technically-flawed software is also unethical;
(2) oh look, combining things has just given us the worst of both worlds => this is a complete crock of software.
I'm surprised nobody's pointed out this absolute hoot of a sales pitch..:
Gauntlet Firewalls combine the most secure method of firewall protection - application gateway- with the speed of stateful inspection packet filters via our patent-pending Adaptive Proxy technology. Adaptive Proxies protect both in-bound and out-bound services, supporting high throughput and the latest web-based technologies without sacrificing security with important features including user transparency, integrated management, strong encryption and content security.
I guess it's not meant to be an open-source product, by any chance? ;)
.|` Clouds cross the black moonlight,
~Tim
--
I too, believe in keeping things simple... (Score:2)
Re:Same story, different message (Score:1)
Re:Its about complexity, not censorware (Score:2)
The impression I got from the article was that a simple portscan would've turned up the fact that something was amiss. It would seem that that'd be an easily automatable procedure that professional firewall vendors should go through as part of their testing procedure.
ObSoapbox: It'd be nice if, for such mission critical applications, vendors listed their testing metholody along with the normal advertising figures and specifications.
Re:Once you've got root access on their firewall.. (Score:2)
Re:Misleading article (Score:1)
The wrong paradighm (Score:1)
Teaching Buffer Overflows in School (Score:3)
Thad
Same story, different message (Score:4)
I have strong concerns about the methods they employ to select what content and sites to filter and this points to severe technical problems with their implementation. I think you read the wrong message into its
a firewall is a firewall, not a router etc (Score:3)
The more complex the system more more likely it is to have problems. Same issue for cars (eg a Formula 1 car less reliable than a Ford Focus, but it has a different job to do so..).
Like I always say KISS - Keep It Simple Stupid (Ok so the Army uses this as well).
The simpler the system more reliable it _tends_ to be.
When security is involved, I like simple because I'm stupid.
How did NAI manage that? (Score:1)
I thought all the gagware needs to do, is to send a request to a CyberPatrol ACL server with the URL in question and wait for a simple yay/nay reply...
Yours confused, Mincemeat
Re:So use squid for your censor-ware (Score:1)