Re: Cisco PIX bug, discussions (lenghty)

[Kevin Steves <stevesk () sweden hp com>]

On Thu, 27 Aug 1998, Robert Stahlbrand wrote:
: > >Well...no.  EVERY router can't defrag, but there's no reason my
: > >single access router in front of my firewall/IDS/whatever can't.
: > 
: 
: I don't think any router should do defrag! We must understand that a
: router and a firewall are designed for different purposes. To be able to
: do filtering on routers is only an option.
: A firewall do a lot of things not accoring to any RFC but the main thing
: here is to protect networks from any thinkable attack and if there is a
: possibility to do defrag-attack then it's the firewall who should handle
: it and that's it!
: 
: > screening router could defrag. I guess/hope (and this is only a guess
: > as I'm not in the Cisco engineering team) that defrag will
: > be added to IOS firewall feature.
: >
: 
: That is Ciscos concern but if I was in charge I would never do this.

For SYN flood protection they added TCP intercept (which works pretty
well actually).

The firewall feature set has CBAC (context-based access control) which
adds stateful packet inspection, some type of Java blocking, and other
"firewall" stuff (note that this is limited to the low-end routers, to
protect the PIX product line I'd guess).