Saturday, December 26, 2015

CP vs PAN: mud fight

In case you have missed that, there is an ongoing mud fight on LinkedIn between celebrated Check Point and Palo Alto guys.

It all started from a video on YouTube called "666 ways to bypass Palo Alto Networks in 6 minutes". Video's author's pseudonym is "netsecvulns". It is unclear if the author is related to Check Point in any way.

The video is no longer available, but around three weeks ago it was referenced by Kellman Meghu, the author of Kill-HUP blog, in his now very popular LinkedIn post.

The video was about multiple successful evasion techniques being demonstrated through PAN FW with a basic security policy in place. The idea itself is quite old and was mentioned by SANS three years ago and later by NSS.

At once several PAN sales engineers jumped into the ring to fight it back. Check Point is misleading customers, they said. PAN device was not configured properly, they said. Show us the same test for Check Point, they asked.

Kellman obliged and provided an old video by Moti Sagey demonstrating Evader tool being unable to pass Check Point IPS with "any-any-accept" rule. The funniest part is that video was posted more than half a year ago, way before "666 ways..."

Since three weeks Kellman's post has more than 130 comments. PAN guys were unable to provide any technical counter-argument.

According to them, market knows best. I guess they are referring to growth factor of PAN, because in absolute figures Check Point is still way ahead.

I am not sure when the argument stops and some real work begins. In his latest open letter to PAN Moti Sagey mentions PAN is actually trying to make an effort to fix the issue in hands.

In that post Moti also writes: "I contacted “netsecvulns,” who understands the seriousness of this vulnerability and how it can easily be exploited.  NetsecVulns, showing professional courtesy to Palo Alto Networks and in the responsible interest of the security of PAN clientele , has make the video private until January 11th."

I guess we need to wait two more weeks to see how this fascinating story ends.



    It happened when fortinet was trying to enjoy and leverage the fight.


  2. How finished this history? is it patched now?

    1. Yes, I believe it is even mentioned in the thread there. PAN patched the issue. Now there are some false-positives on SMB connections

  3. This tool was designed by Stonesoft - it had nothing to do with Check Point - it is called evader and can bypass all Firewalls undetected. The Stonesoft team will demo it to you if you ask them.

    1. Where exactly did you see a statement that Evader is a check point tool?