Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (AG vs. SPF)
From: Marc Heuse <Marc.Heuse () mail deuba com>
Date: Tue, 7 Jul 1998 15:35:31 +0200 (CEST)
Hi,
This issue is that fragmentation reassembly is done differently in different stacks, so your SPF would have to know how a particular host reassembles fragments before it could protect that host if it isn't doing frag reassembly itself (see my earlier comment on this). Of course, if it is reassembling fragments, it has to do it one way, so non-malicious fragments could break for some instances.AGs always rebuild frags in one way, correct?
correct
They don't have to know about each inside stack, correct?
wrong. They should know each inside stack, because a HP Printer may handle fragments, tcp options etc. differently than a NT 3.51 machine or a Linux box. Take a look at the SNI Paper about IDS' , there you can read how they act differently on behalf of fragment ages (favors newest/oldest fragment ...) Your Sun FW-1 may know the correct handling from the RFC's but not all internal machines may know these too. And this is bad for security.
Then SPFs just need to have the same behaviour.
this is not possible, see above
If rebuilding frags in a particular way can take out some inside host, the AGs suffer the same, correct?
I'd like to see the firewall going down by a DOS attack, so I know who's to blame and the vendor will fix it within the next day. If the computer of a manager or his secretary or an important internal server crashs I'm in deep trouble ("Why did our firewall did not protect us ??"), and it will take longer until I get a fix (from m$ ? *sigh*)
Yup. An excellent HTTP proxy doesn't help all that much if you need to pass 100 other protocols, and you end up having to packet filter on the AG gateway. At that point you'd probably want an SPF for that.
right, thats one of the few purposes I see for a SPF, get protocols using UDP and unsocksified network software, which don't have got a proxy, through.
Yes, they suck. Well, to be fair, I only have personal knowledge of FW-1 sucking. I don't know enough about PIX except aparantly their VPN sucks. I don't know if the Linux SPF-like packages suck, but if it's discovered that they do, I assume it will be fixed within a day or two.
it should be noted that there is too the ip-filter package by Darren Reed, which is a SPF for *BSD, Sun, Linux and Irix ... and it's free http://cheops.anu.edu.au/~avalon/ Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse <marc.heuse () mail deuba com> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 01)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 03)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Marc Heuse (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 08)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Paul D. Robertson (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Joseph S. D. Yao (Jul 08)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jul 07)
- Re: Proxy 2.0 secure? (AG vs. SPF) Bennett Todd (Jul 07)
(Thread continues...)