Re: Cisco 7200 Router Vs Checkpoint Fw-1

rd105 · ‎03-29-2001

Hi,

I was hoping you could solve this following scenario for me.

Ok, lets say we had a cisco 7200 (IOS 12.1) router setup with an standard ACL with no IOS Firewall installed. The only services permitted through this router was HTTP & HTTPS. On the other side of the router is a web server running SOLARIS 2.6 as it's OS.

What risks am I am getting myself in for ?

What advantage would there be by adding a Fw-1 on the other side of the router ?

Is the router sufficent enough and what types of hacks / attacks could I expect to receive knowing the config above, ie. http & https traffic on permitted to the webserver. Are there any known hacks that occur above layer 3 of the OSI, ie. application that the router won't stop. As opposed to a FW-1 box that would check all 7 layers !

Anyhelp would be greatly appreciated.

Thanks,

kyle

effigy · ‎03-31-2001

In terms of information gathering in the instance for a potential security breach, a dual packet filtering mechanism can provide an extra logging mechanism. (Checkpoints logs are very easy on the eyes.) Two gateways can also be used to manipulate the IP source and destination headers twice to make spoof attacks that much harder. (Hareder to discover the IP topology with two packet filters.)

However, If port 80 is open, as an example, and it is responding, then a hacker is likely to circumvent the firewall gateway(s) entirely and head straight for vulnerabilities on your web server. (You might as well have 20 firewalls. :-) )

Hardening and limiting as much as you can on the firewall, but also HARDEN (patch, tweak, and limit) access to your web server. Research the most common and recent exploits of your web servers OS and web platform and harden. (To answer... yes! There are LOTS of hacks for Solaris! goto www.rootshell.com )

Firewalls only do so much. Also ENSURE that any code referrencing a back end database is not easily manipulated, and that permissions to the data structure are locked down. (SANS has TONS of information on these kinds of exploits.)

Another great idea is an IDS (Intrusion detection system) Such as ISS RealSecure. ISS watches the traffic on the wire for malicious activity. This product in conjunction with Intellitactics NSM (Network Security manager) is a lethal one two puch for getting information that is security relevant. (Alot of traffic picked up these mechanisms is just an "accidental" appearnce interpreted by ISS.) NSM will collect data and let you know if it IS relevant.

Have fun!

j-patterson · ‎04-26-2001

FW-1 ? Try taking a look at the Cisco PIX.

durnie · ‎05-15-2001

Try not looking at the PIX...

FW-1 will allow more flexibility with your routing protocols, active active is still a pipe dream as far as the pix goes, and by putting a FW-1 behind the vxr, you get the ability to read further into the packet for security. Stateful firewalling is a good thing:-) Also, sending steganography via covert channels(port 80) or http tunneling will be allowed by your acl's.

durnie

ushamir · ‎05-22-2001

Well Hi Kyle,

cisco acl's are packet-filter's.

packet filter's got big security limitation by checking only source,destination and port address.

they are open to spoofing, source routing, and are applicationless guard.

firewall-1 is statefull inspection and that check from the LLC layer(upper mac) to the application by that providing much better security solution.

there is a performance issue when comparing ACL to firewall-1 which put firewall-1 slower then acl so you may consider moving to cisco PIX that use ASA(adaptive security algorhitm like statefull) or install firewall features set from cisco to your 7200 taht will enable you a little bit more flexible configuration.

thanks.

Udi Shamir.

Data Security Expert.

udis@gtek.co.il