[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Boson FW-1 Admnistrator Exam
This can be read different way. 1- The Firewall software is so good which it will take care of all security issues regardless of OS type 2- It is not necessary, but it can be a recommendation I guess if you have rule like any firewall (any except fw protocols) drop Then it really doesn't matter how secure your OS is. of course, it doesn't hurt to apply the basic OS security practices. NA -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Lance Spitzner Sent: Wednesday, January 17, 2001 9:25 AM To: [email protected] Subject: [FW1] Boson FW-1 Admnistrator Exam Recently, I was asked a question about a "Boson" FW-1 Administrator exam. I have no idea what this exam is, nor who sponsors it. However, if the material quouted below is true, then this question greatly disturbs me. I wanted to know if anyone else has ran into this. --- snip snip --- I have always thought that it is necessary to harden the OS for the firewall server. However, I was doing the Boson Checkpoint FW-1 Administrator practice exams when I came across this question: Question: Why is it unnecessary for Firewall-1 to harden the OS? Answer: Firewalls that do not analyze the packet until it gets to the application layer need to protect themselves from the lower layer attacks. Firewall-1 protects itself by analyzing all the layers of the packet. Therefore it is unncessary for the administrator to harden the OS for Firewall-1 server. Is this true???? --- snip snip --- This is absolutely NOT true. If an exam is making these assumptions, then it shows that the author has a total lack of security knowledge. No firewall is impervious to vulnerabilities, Bugtraq demonstrates this again and again. Also, base OS armoring protects the firewall against rulebase or administrative misconfigurations. I highly recommend OS armoring for all firewalls, regardless of the vendor. Part of security is reducing risk at all levels. -- Lance Spitzner http://project.honeynet.org ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|