Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lenghty)
From: Robert Stahlbrand <robert () nmac ericsson se>
Date: Thu, 27 Aug 1998 16:34:18 +0200 (MET DST)
here we go... On Wed, 26 Aug 1998, Euan wrote:
Now, having said this, we can start the war between application gateway firewalls (which often rely on host TCP/IP stack for defragmentation) and `stateful inspection' firewalls (which must defragment).No war neccessary... SPF/SMLI/SI firewalls need to defrag to operate properly. None of the ones on the market (so far as I know) do so currently. All AGs do, by their nature. As far as frags go, AGs win.Firewall-1 v3.0 manual, p350: "Firewall-1 performs virtual packet reassembly, and does not send a packet until all it's fragments have been collected. The algorithm used is stricter than the standard packet reassembly algorithm, and does not permit overlays". So it would appear that at least one SMLI firewall on the market does defrag. Of course this takes us back to the DoS attacks hinted at previously... -Euan.
One interesting thing about FW-1 one is that it seems to bug if you send FIN+frag-packet (read more in Phrack-Magazine 48 Uriels Stelth scanner, 51 Fyodors nmap) to a machine behind the firewall and you choose to drop the packet instead of reject it. The log says that the packet is dropped but it is not! If the machine on the inside are permitted to answer it does and you can scan hosts for open ports. This bug is at least a half-year old and I have tried to bring it to attention before so maybe it's fixed but I havn't seen any statment that prooves it. /Robert Stahlbrand, Ericsson Telecom AB "Real hackers don't die, their TTL expires."
Current thread:
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- <Possible follow-ups>
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 28)