Security Basics mailing list archives

RE: win2k firewall

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 13 Jan 2003 07:47:54 -0800

...., but it also has the
ability to defragment incoming packets for reassembly and proper
analysis.


  Fragmented packets should be DROPPED.  Packet reassembly sounds 
like a nifty feature to have, but it's a DoS attack from Hell just
waiting for someone to write the code -- if they haven't yet.  The
only downside of dropping fragments is that in a few cases clients
may need to tweak their MTUs.  Fragmentation needs to be done at
the UDP/TCP layer (ICMP never has a legitimate need for it) so every
packet has the headers needed for security analysis.

Dave Gillett

-----Original Message-----
From: Jason Dixon [mailto:jasondixon () myrealbox com]
Sent: January 8, 2003 10:13
To: security-basics () securityfocus com
Subject: RE: win2k firewall


On Tue, 2003-01-07 at 15:26, Daniel R. Miessler wrote:

Why would you tell someone to run blackice witch has bugs in it.
If your going to have a firewall, just grab a box that is

not being used

and put Openbsd on there and make your firewall that way.


Because when you pass ports through a packet filter into a

machine offering

services, OpenBSD isn't going to help you.  There is little

difference

between doing this and just turning off all services other

than the public

ones and putting it right on the Internet with no protection at all.


I hope you're simply trolling, because that has to be one of the most
asinine, ignorant responses I've seen on this list to date.  You
obviously have little experience with firewalls.  Do you 
understand the
concepts of stateful inspection?  TCP flags?

An open server without firewall protection has no ability to protect
itself from spoofed or mangled connections.  OpenBSD has a fully
functional, state-of-the-art packet inspection and state 
engine in PF. 
It not only has the ability to track full state in TCP(full sequence
tracking), UDP and ICMP (connection tracking), but it also has the
ability to defragment incoming packets for reassembly and proper
analysis.  Not to mention the current QoS code that's been 
released for
some time now, and the upcoming (6 months or so) stateful synching
abilities between disparate systems.

OpenBSD/PF compete aggressively with all of the major commercial
offerings out there... FW-1, Netscreen, etc.  To claim that OpenBSD is
inferior to BlackIce in any stretch of the imagination... is 
laughable.

I'm not here to criticize BlackIce or compare it to OpenBSD.  
Rather, I
just wanted to point out that you have no idea what the hell you're
talking about when it comes to OpenBSD firewalls.

-J.

Current thread:

RE: win2k firewall, (continued)
- - - RE: win2k firewall H C (Jan 07)
  - RE: win2k firewall Daniel R. Miessler (Jan 07)
    - RE: win2k firewall josh (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall H C (Jan 08)
    - RE: win2k firewall Daniel R. Miessler (Jan 08)
    - RE: win2k firewall Jimmy Sansi (Jan 09)
    - RE: win2k firewall Jason Dixon (Jan 11)
    - RE: win2k firewall David Gillett (Jan 13)
  - re: win2k firewall Theo Spears (Jan 08)
- RE: win2k firewall Mark S. Searle (Jan 06)
- RE: win2k firewall Paul Carroll (Jan 07)
- RE: win2k firewall H C (Jan 07)
- RE: win2k firewall Mark S. Searle (Jan 08)
- RE: win2k firewall Zimin, Alex (Jan 09)
  - RE: win2k firewall Richard H. Cotterell (Jan 21)
- FW: win2k firewall Mahoney, Paul (Jan 09)
- RE: win2k firewall Zimin, Alex (Jan 11)
- Re: win2k firewall alexanderdelarge (Jan 11)

(Thread continues...)