Re: Cisco PIX bug, discussions (lenghty)

[Eric Vyncke <evyncke () cisco com>]

Ryan,

Comments in-line.

At 09:58 25/08/98 -0700, Ryan Russell wrote:
> [performance reasons snipped]
>
> If I may also make a sweeping statement:
>
> Performance isn't relevant to security applications.  I.e. you
> can't say "it will hurt performance, so we'll leave out some
> security."  If that were a consideration, we wouldn't use firewalls.
> Realistically, that means that if it's too slow we buy bigger
> boxes or suffer along at a slower pace.

100% agree with you, of course.

Nevertheless, the transit time can be critical for some
applications.

> > 5) redundant paths... a firewall is a single point of traffic
> > concentration, so, a firewall can reassemble all IP fragments because
> > a firewall `sees' all of the fragments. From a router perspective,
> > a router may not see all fragments due to load balancing among
> > links, route flapping, ... so a router CANNOT make IP defragmentation.
>
> Well...no.  EVERY router can't defrag, but there's no reason my
> single access router in front of my firewall/IDS/whatever can't.

In this case, this router is an integral part of your 
firewall architecture.

And as a part of a firewall system, it would be nice that this
screening router could defrag. I guess/hope (and this is only a guess
as I'm not in the Cisco engineering team) that defrag will
be added to IOS firewall feature.

But, I still do not want that either the core Internet routers
or the internal routers defrag...

> > Conclusion, for security reason you MUST defragment IP datagrams
> > at one location (i.e. the firewall), for technical reasons it is
> > mostly IMPOSSIBLE to defragment in a router.
>
> Agreed that you must defrag for security apps.  PIX and FW-1
> are both routers, and you expect them to defrag, but you say
> it cant be done?  Cisco routers are also firewalls, if you apply
> access-lists.. they won't defrag... they need to, since there
> are problems with access-lists of Ciscos (probably others
> too, but I really only know Ciscos.)  It's certainly not impossible
> for routers to defrag if they want.

;-) personaly, I would not qualify PIX (or FW-1) as a router ;-) They are
forwarding packets but do not/should not run a routing protocol
to build dynamic routing table.

> > Now, having said this, we can start the war between application
> > gateway firewalls (which often rely on host TCP/IP stack for
> > defragmentation) and `stateful inspection' firewalls (which must
> > defragment).
>
> No war neccessary... SPF/SMLI/SI firewalls need to defrag
> to operate properly.  None of the ones on the market (so
> far as I know) do so currently.  All AGs do, by their nature.
> As far as frags go, AGs win.

:-)

> > And even ask whether any IDS is making defragmentation ;-)
>
> If I could make my access/internal router defrag, an IDS
> would be a lot more useful to me.

That is a very valid point for Internet attacks, but, I fear
that a lot of attacks are coming from the inside. And internal
traffic should not be fragmented so current IDS should work.

Nevertheless, having a specific configuration command
that forbid the routing of fragmented packets would be really
desirable in an intranet situation (hoping you do not have Token
Ring or FDDI).

> If for one would love to have the option of my Cisco defragging for me.

I agree that this could be really useful (mainly for screening
routers) but not as a default behavior.

Thanks for your comments anyway

-eric

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458