Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (AG vs. SPF)
From: "Paul D. Robertson" <proberts () clark net>
Date: Wed, 8 Jul 1998 10:46:16 -0400 (EDT)
On Tue, 7 Jul 1998, Ryan Russell wrote:
But if the AG already defragged the packets, then there aren't the weird fragments going inside, right? This assumes that your AG doesn't have to fragment on the way inside, or some intermediate device frags for you in such a way as to wipe out inside machines by chance.
This is a stretch, a long stretch. All of a sudden you've got the AG stack innocently creating invalid fragments, or an internal router doing the same? Even NT doesn't do this, let alone any current router product. The AG shouldn't fragment if the internal media is the same, heck we've even done TCP path MTU with the client, in the case of TCP based protocols, which is the bulk of what's passed today. Since the AG lives on the network tha the client connects to, its packets will be as big as the MTU for that media. Passing malicious fragements is a heck of a lot different than creating malicious fragments. Creating them would mean a bug, and would happen for every packet transiting the particular interface media, you'd spot it pretty quickly in testing. Since we don't have variable MTU media, it's not likely to be a transient problem. I regularly run Ethernet homed gateways to Token Ring homed users and visa versa and have over the last several years, and I've yet to see an incorrectly generated fragment on behalf of a gateway, client station or router. The problem with fragments isn't their existance, it's overlapping offsets, which once again, isn't a problem when you're an endpoint in the communication. The argument against fragments with malicious data is totally within the realm of packet filters and network IDS systems. Frag content simply isn't a threat to an AG or clients protected by one. The only place you have a window of vulnerability with frags on an AG is in how long you hold a frag prior to dropping it, and it's the same issue as SYN flooding. Once again, your SPF will have the same issue if it reassembles frags, and the "protected" clients will if it doesn't. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 01)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 03)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Marc Heuse (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 08)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Joseph S. D. Yao (Jul 08)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) tqbf (Jul 12)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 12)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 12)
(Thread continues...)