Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall comparison in Data Communications

From: "Steven M. Bellovin" <smb () research att com>
Date: Thu, 03 Jun 1999 07:44:58 -0400
In message <19990601142700.A10893 () progressive-systems com>, "Ge' Weijers" write
s:


The bugs in the host O/S are still relevant, if they can be exploited
using packets that look valid to the firewall. Some exploits use
syntactically valid packets, and a packet-at-a-time firewall may not
protect you against that if you allow incoming traffic to 


Right.  More fundamentally, firewalls can't protect you against bugs at
a higher level of the protocol stack.  An IP+port number firewall (i.e.,
a typical packet filter) is blind to TCP holes.  For that matter, it's
blind to attacks based on other portions of the IP packet that it doesn't
look at -- 'ping of death' comes to mind.
Previous By Date Next
Previous By Thread Next

Current thread: