Re: Cisco PIX bug, discussions (lenghty)

["Ryan Russell" <Ryan.Russell () sybase com>]

> > Erik
> Robert


> I don't think any router should do defrag! We must understand that a
> router and a firewall are designed for different purposes. To be able to
> do filtering on routers is only an option.
> A firewall do a lot of things not accoring to any RFC but the main thing
> here is to protect networks from any thinkable attack and if there is a
> possibility to do defrag-attack then it's the firewall who should handle
> it and that's it!

And if the router IS the firewall?  My firewall used to be a Cisco with
access-lists.  Cisco had a bug at one time that allowed very small
frags to slip past access lists because they didn't defrag.  Cisco also
now has a "firewall feature set" for their routers.  Clearly defragging
needs to be an option.  Even if the router isn't doing any filtering,
it's still part of your firewall system... If one's firewall could benefit
in
some way from the router defragging for it, why not?

At a minimum, I'd like to be able to program the Cisco to block
frags of a certain minimum size.

> > screening router could defrag. I guess/hope (and this is only a guess
> > as I'm not in the Cisco engineering team) that defrag will
> > be added to IOS firewall feature.

> That is Ciscos concern but if I was in charge I would never do this.

I think perhaps you're missing all the useful benefits one could get from
this.

> > ;-) personaly, I would not qualify PIX (or FW-1) as a router ;-) They
are
> > forwarding packets but do not/should not run a routing protocol
> > to build dynamic routing table.

> Correct!

Incorrect!  They forward packets between interfaces, they decrement
the TTL, they frag if needed, they speak RIP.... routers.  Not very
good ones....but routers.

> One most know that this would really reduce the performace of the router.

But you already agreed that performance shouldn't be a driving factor
in security decisions..

> /Robert Stahlbrand, Ericsson Telecom AB