Security firms Check Point and NTA Monitor have been bickering over a possible weakness in Check Point’s Firewall-1 product.
NTA kicked off the argument in a press statement, whcih said that Checkpoint Firewall-1 VPNs were visible to potential attackers because the product advertised its type and version number.
"VPNs have been assumed to be an invisible and secure method of communication between a server and a remote connection, but such thinking is naive," said Roy Hills, technical director of NTA Monitor. "The Check Point Firewall-1 system cannot only be discovered, but the manufacturer and sometimes the version can also be identified."
Check Point fired back saying it had correctly implemented the internet key exchange (IKE) standard and the information leak was not considered to be a security threat to its customers.
"The information we disclose is in compliance with the IKE RFC," said Niall Moynihan, technical director, northern Europe at Check Point. "The disclosure of vendor and product information is not significant and does not present a security threat. Information shared includes Check Point gateway presence. This does not present a security threat, but is not needed during an initial stage of the IKE negotiation and product configuration compliant with the RFC."
A spokeswoman for Check Point added: "It is not a major issue which is why Check Point hasn't posted anything on its website."
NTA Monitor's Hills said that the Check Point should be aware of the security implications of their decision.
"It doesn't allow anyone to gain access by itself, but it's never a good idea to let the world know what type and version of firewall you are running because that information can help a potential attacker," said Hill. "In general, you shouldn't give more information than you need to, and that applies especially to firewalls and other security devices, which provide the foundation of an organisation's security. I wonder how many Firewall-1 users would be happy for the firewall to disclose this information."
