namp -f and FW-1

[Lance Spitzner <lance () spitzner net>]

Just posted this to the FW-1 listserv, thought
you guys might be interested.  As always, comments
appreciated (I'm still learning my fragmentation).

There has been a great deal of 'controversy' concerning
how FW-1 handles IP fragmentation.  I'm not a big fan of
speculation, so I decided to test it myself.  Below are
the results (tested on FW-1, ver 4.1 on Solaris x86 2.7)
Some understanding of IP Fragmentation is expected.  Keep
in mind that the data legnth of Frag IP packets is increased
in increments of 8 bytes (Stevens).

1.  FW-1 by default drops any fragmented packet that has
    a data length of 8 or 16 bytes.  At a minimum, the fragmented
    IP packet must have a minimum data legnth of 24 bytes.  This
    means 'nmap -f' scans are dropped by default by FW-1.  The
    log entry will be rule 0 with info "reason: TCP packet too short".

2.  Fragmented packets accepted by FW-1 rulebase (minimum 24 bytes)
    are forwarded in the fragmented state.  Frags in, frags out.

3.  Fragmented packets not accepted by the FW-1 rulebase are not
    forwarded.  I DO NOT know if this means reassembly happens during
    the inspection phase.  More testing is required.

Does this mean that Windows systems are still vulnerable, I haven't
a clue, I'm a Unix weenie :)

All testing was done with snort, hping2, and nmap (my tools of
choice).

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html