Re: Proxy 2.0 secure? (AG vs. SPF)

[Marc Heuse <Marc.Heuse () mail deuba com>]

Hi,

> > This issue is that fragmentation reassembly is done differently in
> > different stacks, so your SPF would have to know how a particular host
> > reassembles fragments before it could protect that host if it isn't
> > doing frag reassembly itself (see my earlier comment on this).  Of
> > course, if it is reassembling fragments, it has to do it one way, so
> > non-malicious fragments could break for some instances.
>
> AGs always rebuild frags in one way, correct?

correct

> They don't have to know about each inside stack, correct?

wrong. They should know each inside stack, because a HP Printer may handle
fragments, tcp options etc. differently than a NT 3.51 machine or a Linux box.
Take a look at the SNI Paper about IDS' , there you can read how they act
differently on behalf of fragment ages (favors newest/oldest fragment ...)
Your Sun FW-1 may know the correct handling from the RFC's but not all
internal machines may know these too.
And this is bad for security.

> Then SPFs just need to have the same behaviour.

this is not possible, see above

> If rebuilding frags in a particular way can take out some inside host,
> the AGs suffer the same, correct?

I'd like to see the firewall going down by a DOS attack, so I know who's
to blame and the vendor will fix it within the next day.
If the computer of a manager or his secretary or an important internal
server crashs I'm in deep trouble ("Why did our firewall did not protect
us ??"), and it will take longer until I get a fix (from m$ ?  *sigh*)

> Yup.  An excellent HTTP proxy doesn't help all that much if
> you need to pass 100 other protocols, and you end up having
> to packet filter on the AG gateway.  At that point you'd probably
> want an SPF for that.

right, thats one of the few purposes I see for a SPF, get protocols using
UDP and unsocksified network software, which don't have got a proxy,
through.

> Yes, they suck.  Well, to be fair, I only have personal knowledge of
> FW-1 sucking.  I don't know enough about PIX except aparantly
> their VPN sucks.  I don't know if the Linux SPF-like packages
> suck, but if it's discovered that they do, I assume it will be fixed within
> a day or two.

it should be noted that there is too the ip-filter package by Darren Reed,
which is a SPF for *BSD, Sun, Linux and Irix ... and it's free
http://cheops.anu.edu.au/~avalon/



Mit freundlichen Gruessen,
                                Marc Heuse


This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.



Type Bits/KeyID    Date       User ID
pub  2048/DB5C03C5 1997/09/23 Marc Heuse <marc.heuse () mail deuba com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L
KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG
YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC
CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL
Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg
o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h
cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5
AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL
XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP
AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1
RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x
rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A
MuixTDbuf3Jph2jEG6r4Dw==
=/n63
-----END PGP PUBLIC KEY BLOCK-----