2/20/04

Secure Security Products?

Quick -- What was the first commercial firewall product with an announced serious (as in, one could "get root") security vulnerability? No, not Check Point. It was Gauntlet. (Disclaimer: it was after NAI took over, and after I left. I.e., someone else's watch. :-)) That was a few years ago. This latest vulnerability is current. SearchSecurity's write up is at here. The US CERT's Alert -- sorry, the Technical Cyber Security Alert (is this stuff great, or what?) -- number TA04036A is at TA04-036A.html. The sobering and predictable overview states, "Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on." Oh, this vulnerability is in the new Application Intelligence component of Firewall-1. ("Application Intelligence" is a marketing term for their application gateway technology, the stuff they called old technology in the late 90s. See my column "Debunking the Firewall Hype" at here.)

I am not (anymore) going to kick Check Point when they are down. This is for two reasons. First, they are not down (though their stock is not tracking the market growth... opps, sorry... really now). Second, the problem is one shared by many other vendors: the lack of an overarching and pervasive security architecture. "Security architecture," as in how the product itself is developed and secured. "Security architecture," that is not a buzzword in a press release, naming an API, but is documented and periocically checked. Just as enterprises must have a network security policy that implements a security architecture -- with both periodically reviewed and validated, security products must have a security architecture used with similar regularity. It is not Check Point. All security vendors have to be much more careful. And what about you? When was the last time you asked a security vendor to describe its security architecture?

No comments: