Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Additional TPC/IP stack

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 07 Nov 1997 23:55:21 -0500
An NT based firewall I've been reading about is marketted as using an
additional TCP/IP stack, which performs additional checking before
transerring the packets to the native NT TCP/IP stack. (The firewall in
question is Cisco's Centri)  My questions are:
      Do you feel that such additional checking in an ad hoc IP stack is
valuable?


In general, I believe that error checking can never be a bad
thing. One of the reasons that software has so many security
problems is because there is an insufficiency of "sanity check"
interlocks between layers of software. There's too much trust.
So, it's probably not a bad idea to have different implementations
that effectively check eachother over for bugs or loose interpretations
of specifications.


      What kind of additional checks would make sense?


Mostly, in an IP stack, I'd expect you'd be looking for large
or corrupt or fragmented or tiny or otherwise weird packets.
I suppose you might also look at sequencing issues, and
so forth -- that's about all that you have available to you at
the IP level, unless you start reassembling all the traffic
and looking into the data streams (that's a hard problem!).

In other words it makes sense but I'm not sure there's a huge
"bang for the buck" in doing it -- the bulk of the interesting
holes that are going to let someone punch through a firewall
are in application software BEHIND the firewall -- which means
that looking through the stack is less interesting than looking
at the application stream.


      Is this a valid/reasonable approach or is it just hype?


I don't know if I'd dismiss it entirely as hype. But I don't know if
I'd say it adds dramatically to the security of the system in question.
It's also quite possible that the vendor in question chose to go
that route because of problems (performance/quality/interface)
with the existing IP stack. I'm cheating here because I already
know the poster was referring to a particular NT based product
and I know the guys who wrote it -- a lot of the decision to
replace the stack was based on early experience with NT's
IP stack.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
Previous By Date Next
Previous By Thread Next

Current thread: