Managers hole own security

Companies using one of the world's leading firewalls are being left defenceless because ham-fisted network managers are not configuring it correctly.

A trio of security consultants demonstrated last week how mis-configuration of Check Point Software's Firewall-1 product can be exploited.

The demonstration was carried out at the Black Hat security conference in Las Vegas by consultants from Data Protect and the University of Michigan. It challenged the blind trust that people invest in firewalls.

A variety of techniques showed how an attacker could gain network administrator privileges and how intruding traffic could be mistaken for a trusted virtual private network connection.

Ian Burman, network security manager for a finance company, said that network managers were not necessarily to blame, as it was difficult to block all security holes.

"This shows the importance of layering different security products to protect an environment. Placing blind faith in any single product is a very bad idea," he said.

Check Point said that Firewall-1 version 4.1 SP2 and version 4.0 SP7 both address the potential mis-configuration problem and consolidate fixes for a total of 10 security issues.

The company has worked with German security firm Data Protect and the University of Michigan to develop defences against the attacks, and last week released service packs to address the configuration risk.

Greg Smith, director of product marketing at Check Point, who attended the presentation, said that it had received no reports of attacks involving the exploits demonstrated. He stated that, in most configurations, users would be safe.

"People would have to mis-configure our product or turn off options to be vulnerable to these attacks," he said. "The techniques used were more advanced than those a script kiddie would use - these were purpose built tools."

Smith added that the presentation highlighted firewall configuration as "critical". He maintained that it was important to remain up-to-date with security updates, a view strongly endorsed by UK security experts.

Matthew Bevan, hacker turned security consultant at UK Research Bureau, said that mis-configuration was the most common cause of ineffective firewalls.

"Companies spend their budget on a firewall, but let the administrator decide who and what to let in, which could compromise the entire security system," said Bevan. "Neglecting to block port 111 is very common and allows disguised hackers to enter the network."