Least vulnerable highest security firewall
It has been a difficult process trying to pick the "Right" firewall to protect a network consisting of only 2 pc's and a voip phone adapter.
I assumed Sonicwall would be a good choice until I recently learned that the end user equipment depends on continuous licensing validation by Sonicwall back end servers. If they go down or the connection is not maintained the end user equipment becomes compromised allowing malware into the network (what a ******awful design someone tell me this isn't true) and further the Sonicwall "reassembly free deep packet inspection" leaves ips vulnerable to fragmented packets allowed through without detection, DoS attack vulnerabilities, VPN Vulnerabilities, etc.
Upon further research into Watchguard firebox, there was a secunia advisory SA14928 left unpatched since 2005, and someone left this post: "I discovered a huge vulnerability in the Watchguard SSL-VPN implementation. The consequences are quite important as, if exploited correctly, it is possible to perform arbitrary code execution on the victims machine.For six months now I've been in contact with 'someone' from the Watchguard security team. He has promised me many times a date when the fix will be released. I'm still waiting for it...
In his last mail he said the fix was committed to the beta-team and I was going to be added to the beta-testers-list so I could try it out and play around with it. I'm still waiting to be added...To be honest, I start to feel rather annoyed about their attitude" It goes on to say " I informed them privately of two important vulnerabilities. I accepted to keep the details about the fixed problem confidential as courtesy. I keep waiting for 6 months with many beautiful promises about a fix and access to the beta. I don't ask any money for these reports.For ethical reasons I will not publish the full disclosure without the fix. But next time I find a leak in their products I might start thinking about selling it to the highest bidder." Perhaps the following is then related: Watchguard released a new version v10.2.3 fixing this huge problem. Quote Release Notes: The Mobile VPN with SSL client and gateway now protect against "Man in the Middle" attacks.
How many other yet undiscovered vulnerabilities are there for these, and other firewalls on the market? Is there a such thing as a firewall without vulnerabilities, and if so who is the manufacturer? What is the best solution for spam/malware filtering, Intrusion Detection, Voip, arp, vpn, mitm, dns, and protection against all other known tricks/vulnerabilities?
I'm alarmed at the number of outbound connection attempts (microsoft components) most of which there is little information about online. I don't mind having outbound connections so long as they are legitimate & required. Does anyone know where I could find a list so I know what this components are for?
I assumed Sonicwall would be a good choice until I recently learned that the end user equipment depends on continuous licensing validation by Sonicwall back end servers. If they go down or the connection is not maintained the end user equipment becomes compromised allowing malware into the network (what a ******awful design someone tell me this isn't true) and further the Sonicwall "reassembly free deep packet inspection" leaves ips vulnerable to fragmented packets allowed through without detection, DoS attack vulnerabilities, VPN Vulnerabilities, etc.
Upon further research into Watchguard firebox, there was a secunia advisory SA14928 left unpatched since 2005, and someone left this post: "I discovered a huge vulnerability in the Watchguard SSL-VPN implementation. The consequences are quite important as, if exploited correctly, it is possible to perform arbitrary code execution on the victims machine.For six months now I've been in contact with 'someone' from the Watchguard security team. He has promised me many times a date when the fix will be released. I'm still waiting for it...
In his last mail he said the fix was committed to the beta-team and I was going to be added to the beta-testers-list so I could try it out and play around with it. I'm still waiting to be added...To be honest, I start to feel rather annoyed about their attitude" It goes on to say " I informed them privately of two important vulnerabilities. I accepted to keep the details about the fixed problem confidential as courtesy. I keep waiting for 6 months with many beautiful promises about a fix and access to the beta. I don't ask any money for these reports.For ethical reasons I will not publish the full disclosure without the fix. But next time I find a leak in their products I might start thinking about selling it to the highest bidder." Perhaps the following is then related: Watchguard released a new version v10.2.3 fixing this huge problem. Quote Release Notes: The Mobile VPN with SSL client and gateway now protect against "Man in the Middle" attacks.
How many other yet undiscovered vulnerabilities are there for these, and other firewalls on the market? Is there a such thing as a firewall without vulnerabilities, and if so who is the manufacturer? What is the best solution for spam/malware filtering, Intrusion Detection, Voip, arp, vpn, mitm, dns, and protection against all other known tricks/vulnerabilities?
I'm alarmed at the number of outbound connection attempts (microsoft components) most of which there is little information about online. I don't mind having outbound connections so long as they are legitimate & required. Does anyone know where I could find a list so I know what this components are for?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Britt Thompson
Good call... I meant to say something about the Watchgaurd being an abomination. I second the stay away from Watchgaurd.
ASKER
i personally deploy and support the sonicwall appliance. if you don't have a huge budget or lots of experience, the sonicwall is a great appliance. it has several wizards for doing most of the things you need and has a track record for being a secure appliance.
I tried to contact NetSystems via email and didn't receive a response. I already purchased a sonicwall and getting ready to return it if even half of what I've read is true. The whole issue of end user's appliance security being turned off if sonicwall back end servers can't validate a license is extremely troublesome. Essentially if their server goes down so does your security. From what I've read this has already happened upsetting a lot of people. I can't even talk to a sonicwall tech to verify if the validation process has changed, or if other previous vulnerabilities have been fixed.
When I look into Cisco I find hundreds of vulnerabilities!:
2010: "Several firewall vulnerabilities exist within Cisco's ASA Firewall, a widely used firewall that is deployed in SoHo environments as well as Fortune 500 companies. One flaw allows an attacker to bypass the access control list (ACL), which negates the firewall's security policy settings. Also found were issues with Cisco's Adaptive Security Device Manager (ASDM), a Java-based GUI used for administering the firewall. Weaknesses within the authentication mechanism enable several different techniques that can allow an attacker to gain administrator credentials and execute code.
FIt seems clear to me we have another of the all-to-familiar issues of "blind faith." It seems clear there's a lot of blind trust being placed in these devices.
Here is a partial list of the 375 additional vulnerabilities found:
Cisco Unified Videoconferencing Products Multiple Vulnerabilities 2010-11-18
Cisco Unified Communications Manager Privilege Escalation Vulnerability 2010-11-08
Cisco Intelligent Contact Manager Setup Manager "Agent.exe" Multiple Vulnerabilities 2010-11-08
Cisco AnyConnect VPN Client Privilege Escalation Vulnerability 2010-11-03
Cisco IOS H.323 Two Denial of Service Vulnerabilities 2010-09-23
Cisco Unified Communications Manager Two Denial of Service Vulnerabilities 2010-09-23
Cisco IOS NAT Implementation Three Denial of Service Vulnerabilities 2010-09-23
Cisco IOS SIP Multiple Denial of Service Vulnerabilities 2010-09-23
Cisco IOS IGMPv3 Denial of Service Vulnerability 2010-09-23
Cisco IOS SSL VPN Memory Leak Denial of Service Vulnerability 2010-09-23
Cisco Wireless LAN Controllers Multiple Vulnerabilities 2010-09-09
Cisco IOS XR Border Gateway Protocol Denial of Service Vulnerability 2010-08-30
Cisco Unified Presence Two Denial of Service Vulnerabilities 2010-08-26
Cisco Unified Communications Manager Two Denial of Service Vulnerabilities 2010-08-26
Cisco Packet Tracer Insecure Library Loading Vulnerability 2010-08-26
Cisco IOS TCP Connection Handling Denial of Service 2010-08-13
Cisco ACE Products Multiple Denial of Service Vulnerabilities 2010-08-12
Cisco Wireless Control System Cross-Site Scripting and SQL Injection Vulnerabilities 2010-08-06
Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities 2010-08-05
Cisco Firewall Services Module Multiple Denial of Service Vulnerabilities 2010-08-05
Cisco Multiple Products TLS Session Renegotiation Plaintext Injection 2010-07-28
Cisco Content Delivery System Internet Streamer Directory Traversal Vulnerability 2010-07-22
Cisco Industrial Ethernet 3000 Hardcoded SNMP Community Names 2010-07-08
Cisco Unified Contact Center Express Two Vulnerabilities 2010-06-10
etc
etc
etc..............
Perhaps my vision of security is different, but the way I feel about it is either all or none. Either do it right the first time, and guarantee the work or don't do it all. There is no in between - There is no compromise.
If you want unbreakable security don't use the internet.
@MITM801 :: what email addres did you use to contact netsystems?
ASKER
what email addres did you use to contact netsystems?
I use disposable email addresses so that the next time I get flooded with junk I know were the problem originated.
The email was sent to support@netsystems.net from: netsystemsinquiry@nym.hush
If you want unbreakable security don't use the internet.
People have said many times "Just be careful what sites you visit and you'll be fine" Talk about blind faith! A simple solution which we've implemented involves keeping anything of value on an offline pc.
However, there are still reasons for securing equipment that has access. There are good reasons for using pgp to encrypt/exchange email, but the people I do business with simply don't understand or believe that email can be read by others.
i'll check on that.
I agree totally...definitely want to secure anything with access to the internet but you can never be so naive as to believe that your not going to have some risk regardless of the technology used to secure it.
@digitap "something to remember, a firewall appliance is only as good as the tech who installed it."
Absolutely, but it doesn't matter how good the tech is if you cannot trust your employees. You can have machines sitting offline in your office with highly important data and all it takes is someone with enough gumption to whip out their key chain drive or even walk out of the office with the machine.
Ultra high security doesn't just come from your hardware and software. If you have data that's that highly confidential you need internal man powered and building security as well. I did some work on machines at the company that printed, designed and tracked the McDonald's Monoply game pieces (if you don't know what that is, it's like the lottery but printed on cups and food packaging at a fast food restaurant). I had to be buzzed in from a quarter of a mile away through their razor wire topped gate, buzzed in through the front door, interrogated by a group at the front desk, given a yellow badge of warning, escorted through another keycard access door with a security guard, again escorted through a keycard access door (only after an employee on the inside verified I was who I said I was, signed the second check in form (first was at the front desk), surveillance cameras everywhere, escorted to the "Game" room where the computers that designed the game pieces were, let in by the security guard through the digital key coded door and into the isolated room. After I was in the room I had to sign in again and was watched like a hawk until work was done. I was never allowed to bring anything into the room and they provided screw drivers or anything that was needed for repair. None of the machines were connected to the external network and the room didn't have cabling for the network running into it. All employees were treated with the same scrutiny on a daily basis.
I made my way into this room one day when the company was having trouble with the software that creates / protects the game pieces. They had a consultant from the manufacturer out there assisting with an upgrade and they had very reluctantly allowed him to bring a laptop into the room. As soon as one of the employees saw the consultant had brought in a key drive and had plugged it into his laptop, his machine was confiscated and they ran his hard drive through a bandsaw before he was able to leave...and they were still worried.
Attach that kind of paranoia (warranted in this situation) with multiple layers of firewall security, employee background checks, file encryption, building security... you'll get to a level of Government type security but even then, you still might have an employee steal your data and slip it under the table to the guy that runs WikiLeaks.
It's a never ending path of distrust and paranoia...all you can do is your best to keep it safe and plan for what happens after it gets stolen.
@digitap "something to remember, a firewall appliance is only as good as the tech who installed it."
Absolutely, but it doesn't matter how good the tech is if you cannot trust your employees. You can have machines sitting offline in your office with highly important data and all it takes is someone with enough gumption to whip out their key chain drive or even walk out of the office with the machine.
Ultra high security doesn't just come from your hardware and software. If you have data that's that highly confidential you need internal man powered and building security as well. I did some work on machines at the company that printed, designed and tracked the McDonald's Monoply game pieces (if you don't know what that is, it's like the lottery but printed on cups and food packaging at a fast food restaurant). I had to be buzzed in from a quarter of a mile away through their razor wire topped gate, buzzed in through the front door, interrogated by a group at the front desk, given a yellow badge of warning, escorted through another keycard access door with a security guard, again escorted through a keycard access door (only after an employee on the inside verified I was who I said I was, signed the second check in form (first was at the front desk), surveillance cameras everywhere, escorted to the "Game" room where the computers that designed the game pieces were, let in by the security guard through the digital key coded door and into the isolated room. After I was in the room I had to sign in again and was watched like a hawk until work was done. I was never allowed to bring anything into the room and they provided screw drivers or anything that was needed for repair. None of the machines were connected to the external network and the room didn't have cabling for the network running into it. All employees were treated with the same scrutiny on a daily basis.
I made my way into this room one day when the company was having trouble with the software that creates / protects the game pieces. They had a consultant from the manufacturer out there assisting with an upgrade and they had very reluctantly allowed him to bring a laptop into the room. As soon as one of the employees saw the consultant had brought in a key drive and had plugged it into his laptop, his machine was confiscated and they ran his hard drive through a bandsaw before he was able to leave...and they were still worried.
Attach that kind of paranoia (warranted in this situation) with multiple layers of firewall security, employee background checks, file encryption, building security... you'll get to a level of Government type security but even then, you still might have an employee steal your data and slip it under the table to the guy that runs WikiLeaks.
It's a never ending path of distrust and paranoia...all you can do is your best to keep it safe and plan for what happens after it gets stolen.
@renazonse :: i agree with your client trust statement. that's the biggest vector on a tech's network. i have a client that understands this. they allow us to track where users go on the internet. if someone contracts a malicious software and we determine where it was contracted and it wasn't a work related website, the user must pay for our time to clean off the malicious software. it's really affective.
ASKER
Absolutely, but it doesn't matter how good the tech is if you cannot trust your employees. You can have machines sitting offline in your office with highly important data and all it takes is someone with enough gumption to whip out their key chain drive or even walk out of the office with the machine.
Fortunately for us this is not an issue. All the people who I work with have their own networks separate from our own. Nothing is connected here, unless unauthorized access from the wan. Also there is no wireless access. I can believe 90% of the problems are either internally (employees) or poor configuration (browser,firewall,ids,rout
Also, I'm not suggesting the above manufacturers sell bad products and should be avoided, I'm simply pointing out what I found with minimal research. I'm hoping someone will come forward with information on a superior product that's stood the test of time, without all the vulnerabilities. Perhaps the best solution would involve a combination- multi layer approach.
I cannot recommend a solution to any of our clients until I'm confident its the right one, and based on past experiences it's going to take some serious research to find the "right" product(s) & company to work with. Hopefully we can get a good referral here.
ASKER
I apologize, this question was posted to the wrong thread.
I believe you received some good information on this thread that at least led you to make searches and some sort of determination of the direction you should go. Don't waste our time with an attitude problem and delete a thread.
ASKER
I believe you received some good information on this thread that at least led you to make searches and some sort of determination of the direction you should go. Don't waste our time with an attitude problem and delete a thread.
ATTITUDE PROBLEM? Who's attitude was it that suggested if we want security we should stay off the internet? Who was it that said "Cisco firewalls in my opinion they are the best," when there are so many known (publicly announced) vulnerabilities? Why didn't you just tell me upfront there were so many posted issues with Cisco instead of recommending them, then I wouldn't have wasted my time researching their products.
ASKER
Hi MITM801
As you might have realised, given your concern about the goals it wasn't really fair to delete the Question after all the experts were working on it and therefore you found them.
As my colleague thermoduric has indicated a request for attention would have led us to rezone the question for you without any upset.
As things stand now though you need to consider the disposition of the question, i.e. do you have a solution, do you still need a solution and take the appropriate action in such regard.
WallyMod
Community Support Moderator
Link to Community Support Request - http:Q_26653335.html
Link to Main Question - http:Q_26645368.html
Excuse me sir, but who are you to make this decision? I don't believe responses such as "If you want unbreakable security don't use the internet" are productive here.
I have pointed out issues and tried to remain civil here, after being belittled, but I'm not going to just keep "taking it" without responding. The suggestions to use Cisco have been responded to in pointing out that there are hundreds of known vulnerabilities with their products. No one has responded with a good reason for why there are so many. The more I research Cisco, the more uncomfortable I am with the recent information I find about non complicated exploits. In fairness to Cisco, I've not verified that everything I've read is actually true, but they seem to be coming from reliablle sources. I simply don't have time to dig that deep into each manufacturer's code problems, that is why I came here to get feedback on it.
Perhaps if you assigned bonus points instead of taking points away there would be more to give.
ASKER
In my opinion nothing useful was contributed here so I will not be giving away any points. digitap has still not replied as to why is company failed to respond to my email request concerning sonicwall exploits, and renazonse thinks I should stay off the internet and quit wasting time with an attitude problem.
I believe a carefully conceived multi layer approach can handle known threats but the difficulty will be in finding the individual(s) company who can design/configure it.
All,
Following an 'Objection' by MITM801 (at https://www.experts-exchange.com/questions/26650554/08-Dec-10-11-Automated-Request-for-Attention-Q-26645368.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
At this point I am going to re-start the auto-close procedure.
Thank you,
SouthMod
Community Support Moderator
Following an 'Objection' by MITM801 (at https://www.experts-exchange.com/questions/26650554/08-Dec-10-11-Automated-Request-for-Attention-Q-26645368.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
At this point I am going to re-start the auto-close procedure.
Thank you,
SouthMod
Community Support Moderator