• 2 Comments
Still some confusion out there as to what conditions need to exist for the latest DNS cache poisoning vulnerability. Many people are thinking that once they patch their DNS servers that the risk has been mitigated. However I am finding there are quite a few people that are not aware of the PAT/HideNAT component to this vulnerability. Basically if you have a patched DNS server that is using PAT/HideNAT, you are still vulnerable to CVE-2008-1447 and VU#800113. This is because PAT/HideNAT does not “scramble” the source port. If your security team, sysadmins and networking groups are not all communicating, you might have overlooked this piece. I created a quick flowchart for Check Point users that can give some ideas on how to approach all of this.
Check Point customers are protected from the different combinations of patched DNS servers, unpatched DNS servers, static NAT and PAT/HideNAT, etc. if they simply check a radio button in SmartDefense.
Also, If you are using SmartDefense you can track potential attacks by enabling DNS>Cache Poisoning>Mismatched Replies. This will alert you once a threshold is hit: very handy. Depending on how busy your environment is, you may have to adjust the settings (although I have been hearing that this is for the most part working “out of the box”).
Is your security vendor vulnerable?
Kind of concerning when looking at the vendor list above and seeing “security” companies fail to participate in a serious security event of this magnitude; especially considering they had over a month’s notice to produce some type of protection let alone a communique. If your CIO asks, just tell them that Check Point had something in place over a 1000 days ago.
*Update: Scott P. from Watchguard contacted me to let me know that although for some reason they do not appear on the CERT Vendor list (as of this writing), they have been educating their customers about Watchguard’s workaround on this latest issue via their LiveSecurity alert service and Podcast. The Watchguard Blog contains more information for their customers as well. Thanks Scott!
• No Comments
There is a huge issue that was raised a few weeks ago about a vulnerability in DNS and how a DNS server’s cache can be poisoned. There is a lot of information out there describing this latest vulnerability. Basically what it boils down to is that non-randomized source ports combined with request IDs within DNS [...]
• 1 Comment
Had a question from a customer last week. They had a bunch of R65 SPlat gateways out in the field. In past they were just passing BGP and OSPF, and they now wanted some of them to participate in dynamic routing. To do this they would need to updgrade to SPlat Pro. The concern [...]
• 1 Comment
In previous Eventia postings I discussed the new Compliance Reports available for Reporter, and presented information on how to install them. These are the new reports that directly reference ISO 17799, COBIT, PCI-DSS, SOX, and HIPAA.
Looks like Check Point posted a matrix on their website to help customers further narrow down the reports that will [...]
• 5 Comments
This was a question I had in a recent meeting with a large Fortune 100 company. They were traditionally a strong Check Point customer, but a shift in upper management forced them to take on 50+ Cisco ASAs. This was really unfortunate because their team’s Check Point knowledge was very strong and their experience with [...]
• 2 Comments
There is a cool Flash demo that was released last month from Check Point. I have not seen it published publicly yet, but the demo includes narration and gives the user a tour of the Check Point Unified Security Architecture.
The demo covers three main scenarios: Perimeter Security, EndPoint Security, and UTM-1. There is [...]
• No Comments
There were some new updates posted for Eventia Analyzer on Feb 19th. The updates are delivered through the “dynamic updates” function in the Analyzer GUI. Check Point is making updates to both the Analyer “Policy” and “Parsing” components.
I found some interesting links that detail the history of the updates. As you can see, there is [...]
• No Comments
Despite what a certain reseller’s engineer that I know has been telling a lot of customers, there is in fact an HFA01 for R62 in the works. Word is that it is in EA and will be released in the next few weeks. There will be close to 60 issues and enhancements with a big [...]
• 3 Comments
As promised I created a quick ‘how-to’ for installing the new Compliance Reports. The installation is preformed on the Client only. Nothing is changed on the Eventia Server itself so this is a pretty low-risk. The installation is also pretty easy, but I thought some screenshots might answer some of the question I have gotten [...]
• 5 Comments
A few weeks ago the Eventia team released a new category of reports for Eventia Reporter. This category is called “Compliance” and includes 19 new reports for “ISO 17799, COBIT, PCI-DSS, SOX and HIPAA Compliance Source Requirements.”
There is no extra cost for these reports. You simply login with your User Center credentials, go to the [...]