Firewall Wizards mailing list archives

Re: Cisco PIX bug, discussions (lenghty)

From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 25 Aug 1998 09:58:17 -0700




[performance reasons snipped]

If I may also make a sweeping statement:

Performance isn't relevant to security applications.  I.e. you
can't say "it will hurt performance, so we'll leave out some
security."  If that were a consideration, we wouldn't use firewalls.
Realistically, that means that if it's too slow we buy bigger
boxes or suffer along at a slower pace.

5) redundant paths... a firewall is a single point of traffic
concentration, so, a firewall can reassemble all IP fragments because
a firewall `sees' all of the fragments. From a router perspective,
a router may not see all fragments due to load balancing among
links, route flapping, ... so a router CANNOT make IP defragmentation.


Well...no.  EVERY router can't defrag, but there's no reason my
single access router in front of my firewall/IDS/whatever can't.

Conclusion, for security reason you MUST defragment IP datagrams
at one location (i.e. the firewall), for technical reasons it is
mostly IMPOSSIBLE to defragment in a router.


Agreed that you must defrag for security apps.  PIX and FW-1
are both routers, and you expect them to defrag, but you say
it cant be done?  Cisco routers are also firewalls, if you apply
access-lists.. they won't defrag... they need to, since there
are problems with access-lists of Ciscos (probably others
too, but I really only know Ciscos.)  It's certainly not impossible
for routers to defrag if they want.

Now, having said this, we can start the war between application
gateway firewalls (which often rely on host TCP/IP stack for
defragmentation) and `stateful inspection' firewalls (which must
defragment).


No war neccessary... SPF/SMLI/SI firewalls need to defrag
to operate properly.  None of the ones on the market (so
far as I know) do so currently.  All AGs do, by their nature.
As far as frags go, AGs win.

And even ask whether any IDS is making defragmentation ;-)


If I could make my access/internal router defrag, an IDS
would be a lot more useful to me.


If for one would love to have the option of my Cisco defragging for me.



                         Ryan

Current thread:

Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- <Possible follow-ups>
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
  - Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
    - Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
    - Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
  - Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
  - Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
    - Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
    - Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
    - Message not available
    - Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
  - Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
  - Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)

(Thread continues...)