The issue arose after a Canadian security software firm, Secure Network Incorporated (SNI), last week distributed an advisory suggesting that default settings in FireWall-1 allow outsiders to obtain information about the firewall and the network it protects. SNI suggested that hackers potentially could use that information to break into a system.
Today Check Point denied SNI's claim, reported by NEWS.COM in a story on Friday. The firewall vendor insists information obtained in a Simple Network Management Protocol (SNMP) request does not enable a security breach of FireWall-1.
"SNMP doesn't create a security threat to FireWall-1," Check Point chief executive Deborah Triant said in a statement. "No information available via SNMP will enable a hacker to break through a properly configured FireWall-1 system."
However, SNI yesterday rejected Check Point's request that it withdraw the security advisory about FireWall-1, posted December 9 both to an Internet mailing list and on SNI's Web site.
"It's definitely a security problem, but it's certainly true that there are bigger problems," Alfred Huger, an SNI project director, reiterated yesterday.
In an interview, Check Point's Triant minimized any danger: "This information can't be used to break in. It can be used to help identify weaknesses, but those are trivial compared to information from other sources."
Several weeks ago, Check Point changed the default settings on FireWall-1 to block SNMP access except for authorized internal users--one of the weaknesses cited in SNI's security alert.
SNMP is a protocol used by routers, printers, switches, and other network devices to communicate with each other for management purposes. It discloses such information as the name of the host, the number of packets transferred or dropped, the number of network interfaces, and the IP addresses of these interfaces.
Check Point contends that such information does not give hackers a way to breach the security of a network, a possibility that SNI posed in its advisory.
SNMP is used by many kinds of network systems management software used in large enterprises, including Hewlett Packard's OpenView, Tivoli's TME 10 Enterprise Console, Computer Associates' Unicenter, and Sun Microsystems' Solstice.
Check Point suggests customers worried about security reconfigure their FireWall-1 systems to make SNMP data information available only to authorized management stations internally. That is Check Point's new default setting for configuring FireWall-1.
Check Point posted that new default setting for several weeks for its resellers in a maintenance patch for version 3.0 of its firewall, and the patch was posted publicly today on Check Point's site. It also posted information on how to change the SNMP configuration setting for earlier versions of FireWall-1.