Great Circle Associates Firewalls
(June 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Pulling out Checkpoint-1 firewalls
From: Adam Shostack <adam @ homeport . org>
Date: Fri, 27 Jun 1997 10:18:21 -0400 (EDT)
To: mjr @ clark . net
Cc: Firewalls @ GreatCircle . COM
In-reply-to: <199706270216 . WAA02690 @ mail . clark . net> from "Marcus J. Ranum" at "Jun 26, 97 10:14:24 pm"

Marcus J. Ranum wrote:

| Indeed, for amusement value, I hereby offer a $3,000US
| cash prize out of my pocket to the first person who posts
| a verifiable disassembly of a dliberate trapdoor in a
| Checkpoint. Rules are that 2 other experts of my choice

	I assert that use of FZW1 (or whatever their proprietary
encryption scheme is called) for their remote management tools is a
deliberate trapdoor.

	Clearly, the use of a proprietary algorithim is intentional.
("Ooops!  Wrote fzw1 everywhere I meant to say md5!  Guess we can ship

	Now, is this a trapdoor?  I believe that it is, inherently.
The use of a proprietary algorithim is snake oil.  The use of a
proprietary protocol is, analogously, snake oil.  It absorbs an
unreasonable amount of time to figure out what the protocol they're
actually using is.  Actually attacking protocols is difficult.
<tounge in cheek>So, by Cheswick & Bellovin's Corollary 1, this is a
secret and deliberate, trapdoor.</tounge in cheek>

	So the question becomes, is this an exploitable trapdoor?
Should the code and protocol docs find their way into my mailbox, I
will demonstrate that the answer is yes.   I am not going to
disassemble them myself; I'm not good enough at that to make the time
investment worthwhile for the quality of the bugs I'd expect to find.
(Only a seriously misconfigured FW1 would allow management packets
from anywhere, which means you probably need to bypass the FW1, and
can then play with it from the 'trusted' side.  This is not the sort
of really exciting bug that newspapers like to hear.)  Besides, I
expect that there is low hanging fruit in the published world, which
will get me fame and publicity.

	To seperate this from my consultant's hankering after Marcus'
cash, I'll direct the money to a charity if Marcus and his two experts
agree that this meets the criteria of intentional trapdoor.


"It is seldom that liberty of any kind is lost all at once."

Indexed By Date Previous: Stronger authentication for inbound HTTP
From: mer @ world . evansville . net (Marc Rouleau)
Next: Re: Pulling out Checkpoint-1 firewalls
From: Rick Romkey <pokey @ maddie . atlantic . com>
Indexed By Thread Previous: Re: Pulling out Checkpoint-1 firewalls
From: Michel Lavondes <lavondes @ tidtest . total . fr>
Next: Re: Pulling out Checkpoint-1 firewalls
From: "Marcus J. Ranum" <mjr @ nfr . net>

Search Internet Search