Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lenghty)
From: Kevin Steves <stevesk () sweden hp com>
Date: Fri, 28 Aug 1998 05:36:49 +0200 (MET DST)
On Thu, 27 Aug 1998, Robert Stahlbrand wrote: : > >Well...no. EVERY router can't defrag, but there's no reason my : > >single access router in front of my firewall/IDS/whatever can't. : > : : I don't think any router should do defrag! We must understand that a : router and a firewall are designed for different purposes. To be able to : do filtering on routers is only an option. : A firewall do a lot of things not accoring to any RFC but the main thing : here is to protect networks from any thinkable attack and if there is a : possibility to do defrag-attack then it's the firewall who should handle : it and that's it! : : > screening router could defrag. I guess/hope (and this is only a guess : > as I'm not in the Cisco engineering team) that defrag will : > be added to IOS firewall feature. : > : : That is Ciscos concern but if I was in charge I would never do this. For SYN flood protection they added TCP intercept (which works pretty well actually). The firewall feature set has CBAC (context-based access control) which adds stateful packet inspection, some type of Java blocking, and other "firewall" stuff (note that this is limited to the low-end routers, to protect the PIX product line I'd guess).
Current thread:
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- <Possible follow-ups>
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)