Solved

Least vulnerable highest security firewall

Posted on 2010-11-29
23
820 Views
Last Modified: 2013-11-16
It has been a difficult process trying to pick the "Right" firewall to protect a network consisting of only 2 pc's and a voip phone adapter.
I assumed Sonicwall would be a good choice until I recently learned that the end user equipment depends on continuous licensing validation by Sonicwall back end servers. If they go down or the connection is not maintained the end user equipment becomes compromised allowing malware into the network (what a ******awful design someone tell me this isn't true) and further the Sonicwall "reassembly free deep packet inspection" leaves ips vulnerable to fragmented packets allowed through without detection, DoS attack vulnerabilities, VPN Vulnerabilities, etc.

Upon further research into Watchguard firebox, there was a secunia advisory SA14928 left unpatched since 2005, and someone left this post: "I discovered a huge vulnerability in the Watchguard SSL-VPN implementation. The consequences are quite important as, if exploited correctly, it is possible to perform arbitrary code execution on the victims machine.For six months now I've been in contact with 'someone' from the Watchguard security team. He has promised me many times a date when the fix will be released. I'm still waiting for it...
In his last mail he said the fix was committed to the beta-team and I was going to be added to the beta-testers-list so I could try it out and play around with it. I'm still waiting to be added...To be honest, I start to feel rather annoyed about their attitude" It goes on to say " I informed them privately of two important vulnerabilities. I accepted to keep the details about the fixed problem confidential as courtesy. I keep waiting for 6 months with many beautiful promises about a fix and access to the beta. I don't ask any money for these reports.For ethical reasons I will not publish the full disclosure without the fix. But next time I find a leak in their products I might start thinking about selling it to the highest bidder." Perhaps the following is then related: Watchguard released a new version v10.2.3 fixing this huge problem. Quote Release Notes: The Mobile VPN with SSL client and gateway now protect against "Man in the Middle" attacks.

How many other yet undiscovered vulnerabilities are there for these, and other firewalls on the market?  Is there a such thing as a firewall without vulnerabilities, and if so who is the manufacturer? What is the best solution for spam/malware filtering, Intrusion Detection, Voip, arp, vpn, mitm, dns, and protection against all other known tricks/vulnerabilities?

I'm alarmed at the number of outbound connection attempts (microsoft components) most of which there is little information about online.  I don't mind having outbound connections so long as they are legitimate & required.  Does anyone know where I could find a list so I know what this components are for?

0
Comment
Question by:MITM801
  • 7
  • 5
  • 4
  • +2
23 Comments
 
LVL 30

Accepted Solution

by:
renazonse earned 84 total points
ID: 34233273
The firewall without vulnerabilities is the one that still inside its box and not connected to the internet. You're always going to have some semblance of risk and your best option, and my best advice, is to get the best firewall but none are perfect.

I've always used Cisco firewalls and in my opinion they are the best and least likely to be compromised or fail from software problems. Not to mention their customer service is excellent. Although, to my knowledge, they do not have an all in one appliance that blocks spam/viruses as well as serves as the firewall/VPN appliance. You'll need 2 devices. I suggest calling up Cisco sales and speaking with a sales rep to get info on what exactly you need for your environment.

I know of no specific list of outbound connection protocols but you can view the list of running processes on the server and Google each one to get a good idea of what it is and what it does and what traffic it causes.

Hope that helps.
0
 
LVL 3

Assisted Solution

by:flakier
flakier earned 83 total points
ID: 34233549
Juniper SRX series or try Cisco ASA.  Or, if you need only port ACL type firewall, just a plain old Cisco ISR 800 series
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 83 total points
ID: 34236343
stay away from Watchguard.  my experience has not been good with any of their appliances.

if you have the budget and knowledge, then go with Cisco.  it's a solid product and their's a TON of Cisco knowledge here on EE.

i personally deploy and support the sonicwall appliance.  if you don't have a huge budget or lots of experience, the sonicwall is a great appliance.  it has several wizards for doing most of the things you need and has a track record for being a secure appliance.

something to remember, a firewall appliance is only as good as the tech who installed it.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 34237452
Good call... I meant to say something about the Watchgaurd being an abomination.  I second the stay away from Watchgaurd.
0
 

Author Comment

by:MITM801
ID: 34244355
i personally deploy and support the sonicwall appliance.  if you don't have a huge budget or lots of experience, the sonicwall is a great appliance.  it has several wizards for doing most of the things you need and has a track record for being a secure appliance.

I tried to contact NetSystems via email and didn't receive a response. I already purchased a sonicwall and getting ready to return it if even half of what I've read is true. The whole issue of end user's appliance security being turned off if sonicwall back end servers can't validate a license is extremely troublesome. Essentially if their server goes down so does your security. From what I've read this has already happened upsetting a lot of people. I can't even talk to a sonicwall tech to verify if the validation process has changed, or if other previous vulnerabilities have been fixed.

When I look into Cisco I find hundreds of vulnerabilities!:

2010:  "Several firewall vulnerabilities exist within Cisco's ASA Firewall, a widely used firewall that is deployed in SoHo environments as well as Fortune 500 companies. One flaw allows an attacker to bypass the access control list (ACL), which negates the firewall's security policy settings. Also found were issues with Cisco's Adaptive Security Device Manager (ASDM), a Java-based GUI used for administering the firewall. Weaknesses within the authentication mechanism enable several different techniques that can allow an attacker to gain administrator credentials and execute code.
FIt seems clear to me we have another of the all-to-familiar issues of "blind faith."  It seems clear there's a lot of blind trust being placed in these devices.

Here is a partial list of the 375 additional vulnerabilities found:

Cisco Unified Videoconferencing Products Multiple Vulnerabilities  2010-11-18
Cisco Unified Communications Manager Privilege Escalation Vulnerability  2010-11-08  
Cisco Intelligent Contact Manager Setup Manager "Agent.exe" Multiple Vulnerabilities  2010-11-08
Cisco AnyConnect VPN Client Privilege Escalation Vulnerability  2010-11-03    
Cisco IOS H.323 Two Denial of Service Vulnerabilities  2010-09-23    
Cisco Unified Communications Manager Two Denial of Service Vulnerabilities  2010-09-23    
Cisco IOS NAT Implementation Three Denial of Service Vulnerabilities  2010-09-23    
Cisco IOS SIP Multiple Denial of Service Vulnerabilities  2010-09-23    
 Cisco IOS IGMPv3 Denial of Service Vulnerability  2010-09-23    
Cisco IOS SSL VPN Memory Leak Denial of Service Vulnerability  2010-09-23    
Cisco Wireless LAN Controllers Multiple Vulnerabilities  2010-09-09    
Cisco IOS XR Border Gateway Protocol Denial of Service Vulnerability  2010-08-30    
Cisco Unified Presence Two Denial of Service Vulnerabilities  2010-08-26    
Cisco Unified Communications Manager Two Denial of Service Vulnerabilities  2010-08-26    
Cisco Packet Tracer Insecure Library Loading Vulnerability  2010-08-26    
Cisco IOS TCP Connection Handling Denial of Service  2010-08-13    
Cisco ACE Products Multiple Denial of Service Vulnerabilities  2010-08-12    
 Cisco Wireless Control System Cross-Site Scripting and SQL Injection Vulnerabilities  2010-08-06    
 Cisco ASA 5500 Series Multiple Denial of Service Vulnerabilities  2010-08-05    
 Cisco Firewall Services Module Multiple Denial of Service Vulnerabilities  2010-08-05    
 Cisco Multiple Products TLS Session Renegotiation Plaintext Injection  2010-07-28    
 Cisco Content Delivery System Internet Streamer Directory Traversal Vulnerability  2010-07-22    
 Cisco Industrial Ethernet 3000 Hardcoded SNMP Community Names  2010-07-08    
 Cisco Unified Contact Center Express Two Vulnerabilities  2010-06-10
etc
etc
etc..............


Perhaps my vision of security is different, but the way I feel about it is either all or none. Either do it right the first time, and guarantee the work or don't do it all. There is no in between - There is no compromise.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 34244388
If you want unbreakable security don't use the internet.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34244516
@MITM801 :: what email addres did you use to contact netsystems?
0
 

Author Comment

by:MITM801
ID: 34244594
what email addres did you use to contact netsystems?

I use disposable email addresses so that the next time I get flooded with junk I know were the problem originated.

The email was sent to  support@netsystems.net  from: netsystemsinquiry@nym.hush.com

If you want unbreakable security don't use the internet.

People have said many times "Just be careful what sites you visit and you'll be fine"  Talk about blind faith!  A simple solution which we've implemented involves keeping anything of value on an offline pc.
However, there are still reasons for securing equipment that has access.  There are good reasons for using pgp to encrypt/exchange email, but the people I do business with simply don't understand or believe that email can be read by others.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34245079
i'll check on that.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 30

Expert Comment

by:renazonse
ID: 34246919
I agree totally...definitely want to secure anything with access to the internet but you can never be so naive as to believe that your not going to have some risk regardless of the technology used to secure it.

@digitap "something to remember, a firewall appliance is only as good as the tech who installed it."

Absolutely, but it doesn't matter how good the tech is if you cannot trust your employees. You can have machines sitting offline in your office with highly important data and all it takes is someone with enough gumption to whip out their key chain drive or even walk out of the office with the machine.

Ultra high security doesn't just come from your hardware and software. If you have data that's that highly confidential you need internal man powered and building security as well. I did some work on machines at the company that printed, designed and tracked the McDonald's Monoply game pieces (if you don't know what that is, it's like the lottery but printed on cups and food packaging at a fast food restaurant). I had to be buzzed in from a quarter of a mile away through their razor wire topped gate, buzzed in through the front door, interrogated by a group at the front desk, given a yellow badge of warning, escorted through another keycard access door with a security guard, again escorted through a keycard access door (only after an employee on the inside verified I was who I said I was, signed the second check in form (first was at the front desk), surveillance cameras everywhere, escorted to the "Game" room where the computers that designed the game pieces were, let in by the security guard through the digital key coded door and into the isolated room. After I was in the room I had to sign in again and was watched like a hawk until work was done. I was never allowed to bring anything into the room and they provided screw drivers or anything that was needed for repair. None of the machines were connected to the external network and the room didn't have cabling for the network running into it. All employees were treated with the same scrutiny on a daily basis.

I made my way into this room one day when the company was having trouble with the software that creates / protects the game pieces. They had a consultant from the manufacturer out there assisting with an upgrade and they had very reluctantly allowed him to bring a laptop into the room. As soon as one of the employees saw the consultant had brought in a key drive and had plugged it into his laptop, his machine was confiscated and they ran his hard drive through a bandsaw before he was able to leave...and they were still worried.

Attach that kind of paranoia (warranted in this situation) with multiple layers of firewall security, employee background checks, file encryption, building security... you'll get to a level of Government type security but even then, you still might have an employee steal your data and slip it under the table to the guy that runs WikiLeaks.

It's a never ending path of distrust and paranoia...all you can do is your best to keep it safe and plan for what happens after it gets stolen.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34248364
@renazonse :: i agree with your client trust statement.  that's the biggest vector on a tech's network.  i have a client that understands this.  they allow us to track where users go on the internet.  if someone contracts a malicious software and we determine where it was contracted and it wasn't a work related website, the user must pay for our time to clean off the malicious software.  it's really affective.
0
 

Author Comment

by:MITM801
ID: 34257992
Absolutely, but it doesn't matter how good the tech is if you cannot trust your employees. You can have machines sitting offline in your office with highly important data and all it takes is someone with enough gumption to whip out their key chain drive or even walk out of the office with the machine.

Fortunately for us this is not an issue. All the people who I work with have their own networks separate from our own.  Nothing is connected here, unless unauthorized access from the wan. Also there is no wireless access.  I can believe 90% of the problems are either internally (employees) or poor configuration (browser,firewall,ids,router, etc)  Our issues are not internal. I believe they involve a combination of using equipment (software,firmware,hardware) with exploits, some of which may be public knowledge, some not, and most importantly, configuration.

Also, I'm not suggesting the above manufacturers sell bad products and should be avoided, I'm simply pointing out what I found with minimal research. I'm hoping someone will come forward with information on a superior product that's stood the test of time, without all the vulnerabilities. Perhaps the best solution would involve a combination- multi layer approach.

I cannot recommend a solution to any of our clients until I'm confident its the right one, and based on past experiences it's going to take some serious research to find the "right" product(s) & company to work with. Hopefully we can get a good referral here.



0
 

Author Comment

by:MITM801
ID: 34258333

I apologize, this question was posted to the wrong thread.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 34258796
I believe you received some good information on this thread that at least led you to make searches and some sort of determination of the direction you should go. Don't waste our time with an attitude problem and delete a thread.
0
 

Author Comment

by:MITM801
ID: 34260832
I believe you received some good information on this thread that at least led you to make searches and some sort of determination of the direction you should go. Don't waste our time with an attitude problem and delete a thread.

ATTITUDE PROBLEM?  Who's attitude was it that suggested if we want security we should stay off the internet?  Who was it that said "Cisco firewalls in my opinion they are the best," when there are so many known (publicly announced) vulnerabilities?  Why didn't you just tell me upfront there were so many posted issues with Cisco instead of recommending them, then I wouldn't have wasted my time researching their products.
0
 

Author Comment

by:MITM801
ID: 34274052
Hi MITM801

As you might have realised, given your concern about the goals it wasn't really fair to delete the Question after all the experts were working on it and therefore you found them.

As my colleague thermoduric has indicated a request for attention would have led us to rezone the question for you without any upset.

As things stand now though you need to consider the disposition of the question, i.e. do you have a solution, do you still need a solution and take the appropriate action in such regard.

WallyMod
Community Support Moderator
Link to Community Support Request - http:Q_26653335.html
Link to Main Question - http:Q_26645368.html

Excuse me sir, but who are you to make this decision? I don't believe responses such as "If you want unbreakable security don't use the internet"  are productive here.

I have pointed out issues and tried to remain civil here, after being belittled, but I'm not going to just keep "taking it" without responding. The suggestions to use Cisco have been responded to in pointing out that there are hundreds of known vulnerabilities with their products.  No one has responded with a good reason for why there are so many. The more I research Cisco, the more uncomfortable I am with the recent information I find about non complicated exploits. In fairness to Cisco, I've not verified that everything I've read is actually true, but they seem to be coming from reliablle sources. I simply don't have time to dig that deep into each manufacturer's code problems, that is why I came here to get feedback on it.

Perhaps if you assigned bonus points instead of taking points away there would be more to give.



0
 

Author Comment

by:MITM801
ID: 34275974

In my opinion nothing useful was contributed here so I will not be giving away any points. digitap has still not replied as to why is company failed to respond to my email request concerning sonicwall exploits, and renazonse thinks I should stay off the internet and quit wasting time with an attitude problem.
I believe a carefully conceived multi layer approach can handle known threats but the difficulty will be in finding the individual(s) company who can design/configure it.
0
 

Expert Comment

by:South Mod
ID: 34367429
All,
 
Following an 'Objection' by MITM801 (at http://www.experts-exchange.com/Q_26650554.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
 
At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
SouthMod
Community Support Moderator
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now