Least vulnerable highest security firewall
Posted on 2010-11-29
It has been a difficult process trying to pick the "Right" firewall to protect a network consisting of only 2 pc's and a voip phone adapter.
I assumed Sonicwall would be a good choice until I recently learned that the end user equipment depends on continuous licensing validation by Sonicwall back end servers. If they go down or the connection is not maintained the end user equipment becomes compromised allowing malware into the network (what a ******awful design someone tell me this isn't true) and further the Sonicwall "reassembly free deep packet inspection" leaves ips vulnerable to fragmented packets allowed through without detection, DoS attack vulnerabilities, VPN Vulnerabilities, etc.
Upon further research into Watchguard firebox, there was a secunia advisory SA14928 left unpatched since 2005, and someone left this post: "I discovered a huge vulnerability in the Watchguard SSL-VPN implementation. The consequences are quite important as, if exploited correctly, it is possible to perform arbitrary code execution on the victims machine.For six months now I've been in contact with 'someone' from the Watchguard security team. He has promised me many times a date when the fix will be released. I'm still waiting for it...
In his last mail he said the fix was committed to the beta-team and I was going to be added to the beta-testers-list so I could try it out and play around with it. I'm still waiting to be added...To be honest, I start to feel rather annoyed about their attitude" It goes on to say " I informed them privately of two important vulnerabilities. I accepted to keep the details about the fixed problem confidential as courtesy. I keep waiting for 6 months with many beautiful promises about a fix and access to the beta. I don't ask any money for these reports.For ethical reasons I will not publish the full disclosure without the fix. But next time I find a leak in their products I might start thinking about selling it to the highest bidder." Perhaps the following is then related: Watchguard released a new version v10.2.3 fixing this huge problem. Quote Release Notes: The Mobile VPN with SSL client and gateway now protect against "Man in the Middle" attacks.
How many other yet undiscovered vulnerabilities are there for these, and other firewalls on the market? Is there a such thing as a firewall without vulnerabilities, and if so who is the manufacturer? What is the best solution for spam/malware filtering, Intrusion Detection, Voip, arp, vpn, mitm, dns, and protection against all other known tricks/vulnerabilities?
I'm alarmed at the number of outbound connection attempts (microsoft components) most of which there is little information about online. I don't mind having outbound connections so long as they are legitimate & required. Does anyone know where I could find a list so I know what this components are for?