ISA smarter than Checkpoint
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 10 Oct 2005 14:59:04 -0500
I usually try not to compare ISA and Checkpoint, because CP is a darned
good firewall, and you pay the price for it. Its not like the PIX, which
is about as secure as the US Social Security system. But, thought you
might want a nice ISA pat on the back on this one:
** Check Point Vulnerability Expanded
By Russ Cooper
* Hacking/Denial of Service
- Check Point SecurePlatform NGX Firewall Rules Bypass
Vulnerability (Intellishield ID: 9706): This warning has been
reissued to add additional impacted products. Initially reported
was Check Point SecurePlatform NGX R60 Build 244 and prior. Now
added to that list: VPN-1/FireWall-1 versions NG AI, 4.1 and NG;
VPN-1 VSX version NG AI; and Provider-1 versions NG AI and NG.
The rule supplied with the Firewall product to handle "CIFS"
traffic is equivalent to "ANY," in that it actually allows any
traffic to/from the source/destination addresses added to the
rule. CIFS is a file sharing protocol used by Windows systems
which permits SMB over TCP. The rule permits CIFS as well as
some legacy NetBIOS traffic. A proper CIFS rule should limit
traffic to port 445.
While no patch has yet been provided by Check Point, anyone
needing this rule group can create a custom group of their own
limiting what traffic is allowed.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
Other related posts:
