North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 andVPN-1

  • From: Suresh Ramasubramanian
  • Date: Thu Feb 05 12:27:10 2004

Christopher L. Morrow  [2/5/2004 10:45 PM] :

Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault
with the vendor or the person(s) implementing or the 'management' of said
person(s)? Even an openbsd firewall is a problem if not properly admin'd.
of course, but you do have to contend with the fact that it takes at least some amount of IQ beyond the point and click level to fire up vi and use a command line interface. :)

Neal Stephenson's "in the beginning was the command line" is an interesting take on this, I think.

Nope, but pointing out their failures in a sensible manner to their
management is helpful... sometimes atleast :( Failing any action there the
whole group is just shooting themselves in the foot and there isn't much
you can do about that, is there? (except to get out of the blast radius)
Actually, the problem is that when dealing with a bunch of know it alls like that, even waving manufacturer's documentation in front of them doesn't really help

Like my friend's cable ISP, that recently turned on "smtp fixup" on a cisco pix on port 25 across their entire network. He's got a static IP, runs linux + postfix, and is still left with a completely crippled mailserver (no AUTH, no TLS, no ESMTP ...) thanks to this. Waving cisco docs at them doesn't seem to have helped at all. [Moving is tough, they are the only broadband in the bangalore suburb where he lives]

srs (postmaster|suresh) // gpg : EDEDEFB9
manager, security and antispam operations