By Sean Gallagher  |  Posted 2004-11-05 Print this article Print

-Case Scenario"> The worst-case secenario is that some evil-doer could use the source code to create an image of the PIX software that provides a back-door for him or others to magically circumvent the firewall. But for that scenario to work, the bad guys would have to convince their target to install that software image onto a firewall. And targets worth attempting an attack of that kind of sophistication on, requiring such a high level of both "social engineering" and significant resources to back it, arent very numerous. Alternatively, someone with deep programming knowledge could identify ways to attack existing routers by creating buffer overflows in the software with external input—for a denial-of-service attack. Or they could find a way to pull off some sort of "man in the middle" attack against a VPN session based on gaps in how PIX handles session authentication.
In fact, these are both vulnerabilities that Cisco has found in the past in the PIX software—two years ago, in earlier versions of the software. Odds are that Cisco has filled in most of these holes—at least the ones that are obvious from just looking at the source code.
For more insights from Sean Gallagher, check out his Weblog.

But if hackers wanted to spend $24,000 to figure out how to take out a PIX firewall, theyd probably be better off spending it on a Cisco PIX firewall of their own, or maybe some Cisco network engineer training. Thats because most of the vulnerabilities in firewalls are the result of misconfiguration—and the best way to learn about those vulnerabilities is by learning how to run a firewall correctly. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Sean Gallagher is editor of Ziff Davis Internet's enterprise verticals group. Previously, Gallagher was technology editor for Baseline, before joining Ziff Davis, he was editorial director of Fawcette Technical Publications' enterprise developer publications group, and the Labs managing editor of CMP's InformationWeek. A former naval officer and former systems integrator, Gallagher lives and works in Baltimore, Maryland.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel