As a follow up to the email thread discussed here: http://blogs.isaserver.org/shinder/2006/06/21/chapter-3x-of-dr-ts-rant-on-pix-firewalls/ Jim Harrison follows up with a powerful fact enhanced one-two punch to put the “hardware” firewall delusion down in the third round. Will the “hardware firewall” contender be able to come back with real facts and beat the count?
#1 – “PIX is more secure than ISA because it’s a ’hardware’ firewall”. This is pure, unadulterated BS, propagated by the same 1d10t’s that ignore the *FACT* that PIX is nothing more than a custom OS (xNIX, usually). In fact, I’ve only heard of *one* “hardware” firewall; that it is strictly a L3-only box (much like your PIX)
#2 – Speed & security are orthogonal. Security is demonstrated by resilience in teh face of unwanted traffic; speed is merely doing it faster.
#3 – You need to read up on how any OS (specifically Windows) network functionality works. If you *ever* find packets being stored to disk before being processed, throw that device out the door
#4 – I posted this for Tony Su; maybe you’ll get more use ot of it: http://technet2.microsoft.com/WindowsServer/en/Library/823ca085-8b46-4870-a83e-8032637a87c81033.mspx After you’ve read up a bit, come back and rescind this argument
#5 – this means nothing of the sort; if you can demonstrate this assertion with fact, then by all means do so. You should also go read up on how processes communicate in Windows.
#6 – Let’s see; if I stop the PIX firewall services, the machine is also open to attack <duh>.
#7 – no machine of any sort has “unlimited” capabilities. If you really believe that this is possible, you must not occupy the same physical world as the rest of us.
#8 – Based on this argument, ISA is also a “hardware” firewall as *all* traffic inspection (not just L3 as in PIX) is performed in RAM. Not one single packet ever leaves the motherboard except to enter or leave the network itself.
#9 – The “adaptive security mechanism” is L3-only. ISA policy engine and packet filter driver operate all the way to L7. Thus, when the PIX is allowing RPC traffic to teh internal host “because it asked for it”, ISA is blocking it as invalid traffic. Case in point; Blaster passed through every PIX on the planet; ISA blocked it in every single case.
#10 – is unclear at best. What’s your point other than to show how you can spew brand names?
#11 – I noticed that you can research ISA issues, but you seem unable to find PIX vulns? I wonder how that can be? Go out to www.securityfocus.com and search under “Cisco” for “PIX Firewall”. I see:
Multiple Cisco Products WebSense Content Filtering Bypass Vulnerability <http://www.securityfocus.com/bid/17883>
OpenSSL Denial of Service Vulnerabilities <http://www.securityfocus.com/bid/9899>
Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities <http://www.securityfocus.com/bid/13124>
Cisco PIX TCP SYN Packet Denial Of Service Vulnerability <http://www.securityfocus.com/bid/15525>
Cisco Downloadable RADIUS Policies Information Disclosure Vulnerability <http://www.securityfocus.com/bid/16025>
Cisco IPSec Unspecified IKE Traffic Denial Of Service Vulnerabilities <http://www.securityfocus.com/bid/15401>
Multiple Vendor TCP Sequence Number Approximation Vulnerability <http://www.securityfocus.com/bid/10183>
Multiple Cisco PIX Remote Denial Of Service Vulnerabilities <http://www.securityfocus.com/bid/9221>
OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulnerability <http://www.securityfocus.com/bid/8970>
Cisco PIX ICMP Echo Request Network Address Translation Pool Exhaustion Vulnerability <http://www.securityfocus.com/bid/8754>
Multiple Vendor Session Initiation Protocol Vulnerabilities <http://www.securityfocus.com/bid/6904>
Multiple Vendor SSH2 Implementation Buffer Overflow Vulnerabilities <http://www.securityfocus.com/bid/6407>
Cisco PIX VPN Session Hijacking Vulnerability <http://www.securityfocus.com/bid/6211>
Cisco PIX TACACS+/RADIUS HTTP Proxy Buffer Overrun Vulnerability <http://www.securityfocus.com/bid/6212>
Cisco PIX Firewall Telnet/SSH Subnet Handling Denial Of Service Vulnerability <http://www.securityfocus.com/bid/6110>
Cisco SSH Denial of Service Vulnerability <http://www.securityfocus.com/bid/5114>
Cisco Malformed SNMP Message Denial of Service Vulnerabilities <http://www.securityfocus.com/bid/4132>
Cisco PIX Firewall SMTP Content Filtering Evasion Vulnerability Re-Introduction <http://www.securityfocus.com/bid/3365>
Cisco PIX TACACS+ Denial of Service Vulnerability <http://www.securityfocus.com/bid/2551>
SSH CRC-32 Compensation Attack Detector Vulnerability <http://www.securityfocus.com/bid/2347>
PKCS #1 Version 1.5 Session Key Retrieval Vulnerability <http://www.securityfocus.com/bid/2344>
Cisco PIX PASV Mode FTP Internal Address Disclosure Vulnerability <http://www.securityfocus.com/bid/1877>
Cisco PIX Firewall SMTP Content Filtering Evasion Vulnerability <http://www.securityfocus.com/bid/1698>
Cisco Secure PIX Firewall Forged TCP RST Vulnerability <http://www.securityfocus.com/bid/1454>
Multiple Firewall Vendor FTP “ALG” Client Vulnerability <http://www.securityfocus.com/bid/1045>
Multiple Firewall Vendor FTP Server Vulnerability <http://www.securityfocus.com/bid/979>
Cisco PIX Firewall Manager File Exposure <http://www.securityfocus.com/bid/691>
Cisco PIX and CBAC Fragmentation Attack <http://www.securityfocus.com/bid/690>
Well, waddayano; seems like PIX takes this particular prize.
#12 – this is nothing more than another indication of your vast Windows / ISA ignorance
Please go educate yourself before making such claims, or at least ask Tony Su for advice.
From: [email protected] on behalf of Egyptian Mind
Sent: Sun 6/25/2006 2:32 AM
Subject: [isalist] Re: Nothing is secure like PIX
I’m sorry for not continuing mailing about this issue, but I was quit busy in upgrading in our network infrastructure, but I should tell you that I was really surprised by the 160 mails they were in my inbox about this issue..
It means that this matter has gained a lot of attentions to most of members here in ISA List… I’ve really get amused by these mails which come from different members with different cultures and experiences about using hardware or software as a firewall boundary, although that some of you have taking this issue as some kind of joke, or to get amused by mocking … :-):-):-)
Anyway, I’ve really get amused by your mail, TOM, It was really funny and your way of talking and mocking the Idea is very interesting… Honestly, I laughed for 15 minutes ; none-stop when I was reading your blog :-):-):-):-):-) (( It does not mean ridiculing of you, but it means that your way of present your Idea is really interesting 🙂 :-):-)
But let’s start examine this issue in neutrality way… “and let me borrow your link for ’ ISA Server 2006 Firewall Core’ which u have send as you ask” 🙂
First: I didn’t say that PIX is the most secure firewall in the world, and ’ Supernova; The greatest hacker’ can grantee this, I just said that PIX is more secure than ISA server, which is our issue here…( I mean that PIX as a Hardware firewall, is more secure than ISA as a software firewall)
Second: you say that ” Faster is not the better” and you repeated it in a very interesting way, but I think you should look at ” ISA Server Firewall Core ” in this paragraph:::::
“””” Firewall Engine ( Firewall Packet Engine)
Handling these operations in Kernal Mode, improves both performance and security. “””””
This means that Microsoft tends to increase the performance of firewall service and security service in ISA to make it faster as possible :-).
Third: ISA 2006 firewall core depends on Network Driver Interface Specification ( NDIS) and Microsoft Networking Stack, that means that packet should pass the network interface, the processor, RAM, harddisk, till it reach the network driver in windows ( Kernal Layer) which located over the hardware layer and assembly layer, in the other hand, the packet is analyzed, interpreted and processed in hardware layer in any hardware firewall.
Fourth: The TCP/IP Stack in firewall core in Kernal mode is controlled by windows , which refers to the previous point of even the firewall engine is analyzing the packet in layer 3 and 4 before beginning processing, it will of course reach layer 5 of windows which send it to the firewall engine in kernel mode…. (( Does it make sense??? )) or it’s better to analyze the packet as soon as it reaches the network interface card, Isn’t it??
Fifth: In the purposed document
” Policy Engine
The policy engine communicates with all components of the ISA server firewall core, both with the Kernal-mode firewall engine and the user-mode firewall service, in addition the Policy Engine communicates with both layers of application and web filters””
This means that there are a lot of channels opened between Firewall core and other applications running in ISA, which means ” open ports”, even this ports are opened in Kernal-mode, but it’s still opened port 🙂
Sixth: These are some comments gathering from viewing just the first three papers of Microsoft Document, and I will not telling the comments getting from the rest of this document, or the mail will be too long 🙂 to read, but just I’d like to present this comment written in the document as my last word about this document;
” Note The firewall engine driver is the root of the firewall dependency tree. Stopping the firewall engine driver ( by using net stop fweng /y at the command prompt) also stops the other Firewall components, which opens the computer to all network traffic “””
Open to all network traffic !!!!!!!!!!!!!!!!!!!!!, it means fully penetrated… how could it be that one command can penetrate my network to all attacks?????? … it does not make sense at all, Does it??
Seventh: you compares the ISA server 2006 ( which is last release) with PIX firewall, which is in market over than 20 years, and you didn’t specify which version,, Microsoft has ISA 2000, 2004, 2006… But CISCO has 501,501E,506E,515,525, and the greatest PIX 535, which has unlimited number of users ad unlimited numbers of concurrent VPN Connections ….
Eighth : The OS of PIX is too small which can be loaded in RAM and some portion of processor, It doesn’t mean just that it will be faster and faster than any software firewall, but I mean that the packet inspector process will be done at the hardware level, and in fact it happens in the assembly level… More than that, every interface in PIX has it’s own firewall policy, firewall engine, access control,,, although you manage all interfaces by one screen, but in fact this screen is collecting policies and access controls and firewall services for all interfaces,,, as the OS of PIX divide itself to make each interface has it’s own control, so no need to contact with the core OS or the kernel for any operations….
Ninth: The adaptive security algorithm, included in PIX, will never allow an incoming traffic to go inside, except if there is a request for this traffic from inside, and it should match a random signature it has been given to the requested traffic, or if u make a policy on the outside interface to allow this traffic to come in, and is called ADAPTIVE , it means that it will strengthen it self upon the signature of the attack or the requested traffic and how it will be filtered to insure that this ” man in the middle” will not gain access though the incoming traffic.
Tenth: I was talking here about PIX 535 which support all clustering features, as well as redundancy, as the corresponding issue is between ISA and PIX, as a hardware and software firewall, but If we go to market, we will find Watch Guard, Cyber Guard, Alphafilter, CyberCom, D-Link,…..etc as well as we will see Symantec , Mcafee, ….etc,,, and for linux there are a lot of firewall software like Netfilter
Eleventh: you talked about ISA 2006, and you give me a document coming from Microsoft itself, so what will mama said about her child???????
So if you want this, you can take a look of the following links ::
Note that ASA 5500 has been developed in order to satisfy market need of application filtering and Active Directory Integrated..
But if we go to neutralized sites, we will find that most of them are preferred PIX than ISA as a front door
and I will not go far away,
This link is in ISASERVER.org itself with your handwriting about ISA 2000, which shown some issue
And also :
and please see this
Which means that you should be standby for any articles and newsgroup to find out if there any discover Vulnerability, and not just using windows update”
Twelfth: There is a fact that any GUI operating system should open ports to hardware to operate well, and this is refer to fact that the first 1024 ports in windows you can’t change or reconfigure, and the other act that the most secure operating system till now is UNIX , as it is a command prompt operating system and have never been hacked except when it become LINUX, with a GUI.
And even if it has been hacked, it records the least amount of hacking processes than windows ofcourse.
Finally : No Doubt that Microsoft is the greatest marketing company in the world, as it depends on user need, and nothing is more important to user more than the fancy of GUI , Graphical User Interface,
I think most of you agree with me that this concept ; I mean GUI, is the main reason for Bill Jates treasure which made up his riches, isn’t it???
Now, can you tell me
– Why the great companies and the effective and sensitive corporations ( Like BMW, Aramco, Nokia ) prefer to put a hardware firewall instead of ISA server?? ( This is a fact, I see it myself )
– Why most of multinational banks ( Like CIB, HSBC ) put more than three cascading hardware firewalls as it’s front door to internet??? ( This is a fact, I see it myself)
– Why Microsoft itself didn’t use any of it’s products, in it’s server farms, instead they using UNIX for mail server as an example??? ( you can check it your self by reading the arguments shown to you in the address bar of internet explorer when you open your hotmail inbox, and ask a good web programmer about it )
– Why you dont recommend ISA server for DAN as the cheapest way for a firewall system, as he can install it on a high hardware qualified workstation, not should be a server, if you think that ISA server can manage?????
Senior Network Administrator
College of Business Administration, CBA
Jeddah, Saudi Arabia
Tel: +966-02-6563199 ext 2521
Cell: – +966-50-2953591