Firewall Wizards mailing list archives
Re: Buffer Overruns
From: "Epstein, Jeremy" <Jeremy_Epstein () NAI com>
Date: Mon, 20 Dec 1999 08:09:49 -0800
The answers to this question have been interesting, because those writing responses have interpreted the original question in two different ways. The first interpretation is "are vulnerabilities in hosts behind the firewall protected by the firewall itself". The second interpretation is "are firewalls *themselves* vulnerable to buffer overrun attacks". The answer to the first question is "it depends", and the answer to the second question is "it depends". Firewalls may protect against some attacks against the hosts behind them, not just for buffer overruns but for other attacks too. For example, a firewall might filter out DEBUG messages sent to sendmail, just in case anyone is still running a ten year old version of sendmail! Or a firewall could filter out URLs longer than the maximum allowed, to prevent a buffer overrun attack against web servers. I know that some firewalls protect against some of these attacks, but I wouldn't rely on a firewall to prevent all of these attacks. Joe Yao, Crispin Cowan, and Steve Bellovin explained the issues in this area nicely. In particular, Crispin's StackGuard would be a good solution to this problem. With respect to the second question, firewalls may be as vulnerable as other hosts. As Marcus points out, "buffer overruns in proxy firewalls can be pretty lethal". We recently used software wrappers to constrain the behavior of application proxies on Gauntlet; the result was that buffer overrun attacks were more limited. (I won't say they were impossible; I know better than that :-) I have a paper in preparation on this topic... So.... which question was being asked? The answer is still "it depends", but the factors are different :-) --Jeremy Epstein, NAI Labs
Current thread:
- Re: Buffer Overruns, (continued)
- Re: Buffer Overruns Frederick M Avolio (Dec 20)
- RE: Buffer Overruns Michael D. Hunter-Linville (Dec 21)
- Re: Buffer Overruns Saravana Ram (Dec 24)
- Re: Buffer Overruns Frederick M Avolio (Dec 20)
- Re: Buffer Overruns Ryan Russell (Dec 18)
- Re: Buffer Overruns Steven M. Bellovin (Dec 18)
- Re: Buffer Overruns Vin McLellan (Dec 20)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Lim Wei Siong Vincent (Dec 22)
- Re: OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Joseph S D Yao (Dec 23)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- Re: Buffer Overruns Crispin Cowan (Dec 21)
- Re: Buffer Overruns Michael Kelly (Dec 22)
- Re: Buffer Overruns Joseph S D Yao (Dec 23)
- Message not available
- Message not available
- Re: Buffer Overruns Crispin Cowan (Dec 30)
- Re: Buffer Overruns Joseph S D Yao (Dec 30)