From owner-freebsd-security  Sat Oct  7 17:10:32 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17])
	by hub.freebsd.org (Postfix) with ESMTP id 25A6237B677
	for <freebsd-security@freebsd.org>; Sat,  7 Oct 2000 17:09:38 -0700 (PDT)
Received: from roman (helo=localhost)
	by jamus.xpert.com with local-esmtp (Exim 3.12 #5)
	id 13i41w-0002g0-00; Sun, 08 Oct 2000 02:09:28 +0200
Date: Sun, 8 Oct 2000 02:09:28 +0200 (IST)
From: Roman Shterenzon <roman@xpert.com>
To: Brian Reichert <reichert@numachi.com>
Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: Check Point FW-1
In-Reply-To: <20001007133804.C54883@numachi.com>
Message-ID: <Pine.LNX.4.10.10010080206050.9355-100000@jamus.xpert.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 7 Oct 2000, Brian Reichert wrote:

> On Sat, Oct 07, 2000 at 05:49:09PM +0200, Roman Shterenzon wrote:
> > Hi,
> > Speaking for myself (Xpert are official ChekPoint dealer) I can say that
> > although FW-1 might had some problems, it's quite good.
> > It's quite secure as well (usually installed on Solaris/(sparc|i386) )
> 
> I've never installed it.  I 'inherited' a CheckPoint box running
> under Solaris, and, from an internel net had to break in to the
> box to grant myself admin privs.
> 
> I got in because UNIX services under SunOS 5.6 were misconfigured.
> That's not CheckPoint's fault.  But I don't think it's fair to
> claim that the presence of CheckPoint makes the box secure...

Again speaking for myself - I doubt that you or anybody else could have
managed to break into solaris firewall I've installed (properly), unless
of course there's some bug in CP fw1 which makes it possible.
Of course the underlying os must be secure, and (!) the rules must be
secure. The rules shouldn't have given you to talk to any service on the
fw in the first place. So.. it was BADLY misconfigured. 

Again, I think for a commercial solution FW-1 is very good.

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message