Firewall Wizards mailing list archives
Re: Additional TPC/IP stack
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 07 Nov 1997 23:55:21 -0500
An NT based firewall I've been reading about is marketted as using an additional TCP/IP stack, which performs additional checking before transerring the packets to the native NT TCP/IP stack. (The firewall in question is Cisco's Centri) My questions are: Do you feel that such additional checking in an ad hoc IP stack is valuable?
In general, I believe that error checking can never be a bad thing. One of the reasons that software has so many security problems is because there is an insufficiency of "sanity check" interlocks between layers of software. There's too much trust. So, it's probably not a bad idea to have different implementations that effectively check eachother over for bugs or loose interpretations of specifications.
What kind of additional checks would make sense?
Mostly, in an IP stack, I'd expect you'd be looking for large or corrupt or fragmented or tiny or otherwise weird packets. I suppose you might also look at sequencing issues, and so forth -- that's about all that you have available to you at the IP level, unless you start reassembling all the traffic and looking into the data streams (that's a hard problem!). In other words it makes sense but I'm not sure there's a huge "bang for the buck" in doing it -- the bulk of the interesting holes that are going to let someone punch through a firewall are in application software BEHIND the firewall -- which means that looking through the stack is less interesting than looking at the application stream.
Is this a valid/reasonable approach or is it just hype?
I don't know if I'd dismiss it entirely as hype. But I don't know if I'd say it adds dramatically to the security of the system in question. It's also quite possible that the vendor in question chose to go that route because of problems (performance/quality/interface) with the existing IP stack. I'm cheating here because I already know the poster was referring to a particular NT based product and I know the guys who wrote it -- a lot of the decision to replace the stack was based on early experience with NT's IP stack. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Additional TPC/IP stack Franco RUGGIERI (Nov 07)
- Re: Additional TPC/IP stack Marcus J. Ranum (Nov 07)
- Re: Additional TPC/IP stack Jyri Kaljundi (Nov 08)
- Re: Additional TPC/IP stack Darren Reed (Nov 09)
- <Possible follow-ups>
- RE: Additional TPC/IP stack Scott Wiegel (Nov 08)