Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lenghty)
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Thu, 27 Aug 1998 08:55:04 -0700
ErikRobert
I don't think any router should do defrag! We must understand that a router and a firewall are designed for different purposes. To be able to do filtering on routers is only an option. A firewall do a lot of things not accoring to any RFC but the main thing here is to protect networks from any thinkable attack and if there is a possibility to do defrag-attack then it's the firewall who should handle it and that's it!
And if the router IS the firewall? My firewall used to be a Cisco with access-lists. Cisco had a bug at one time that allowed very small frags to slip past access lists because they didn't defrag. Cisco also now has a "firewall feature set" for their routers. Clearly defragging needs to be an option. Even if the router isn't doing any filtering, it's still part of your firewall system... If one's firewall could benefit in some way from the router defragging for it, why not? At a minimum, I'd like to be able to program the Cisco to block frags of a certain minimum size.
screening router could defrag. I guess/hope (and this is only a guess as I'm not in the Cisco engineering team) that defrag will be added to IOS firewall feature.
That is Ciscos concern but if I was in charge I would never do this.
I think perhaps you're missing all the useful benefits one could get from this.
;-) personaly, I would not qualify PIX (or FW-1) as a router ;-) They
are
forwarding packets but do not/should not run a routing protocol to build dynamic routing table.
Correct!
Incorrect! They forward packets between interfaces, they decrement the TTL, they frag if needed, they speak RIP.... routers. Not very good ones....but routers.
One most know that this would really reduce the performace of the router.
But you already agreed that performance shouldn't be a driving factor in security decisions..
/Robert Stahlbrand, Ericsson Telecom AB
Current thread:
- Re: Cisco PIX bug, discussions (lengthy), (continued)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Travis Low (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 28)