Re: Cisco PIX bug, discussions (lengthy)

[Frank Willoughby <frankw () in net>]

At 09:58 AM 8/25/98 -0700, Ryan Russell allegedly wrote:


> Agreed that you must defrag for security apps.  PIX and FW-1
> are both routers, and you expect them to defrag, but you say
> it cant be done?  Cisco routers are also firewalls, if you apply
> access-lists.. they won't defrag... they need to, since there
> are problems with access-lists of Ciscos (probably others
> too, but I really only know Ciscos.)  It's certainly not impossible
> for routers to defrag if they want.

Actually, FW-1 has the capability of behaving like an AG *IF* 
the "Security Servers" ("proxies" in the real world) are turned 
on.  Although stateful inspection is a very useful feature, 
it takes a back seat to proxies in my book.  Personally, I
prefer AGs which use & promote the use of proxies over SPFs/SMLIs.

Cisco claims to have "cut-through proxies".  The docs I have seen 
so far seems to indicate that their use of the term "proxy" (in 
the normal firewall use of the term) is misleading.  YMMV, but I 
would suggest you read their documentation first and then decide 
for yourself if the PIX is an AG or a PF.  Maybe I'm missing 
something (please correct me if I am wrong), but it sure looks 
like a PF to me.

At least Checkpoint can use proxies if they wanted to.  
Historically, they have claimed that SPF/SMLI is better.
I disagree.  Cisco doesn't even have proxies.

Most firewalls have been/will be subject to frag attacks for 
a while.  Until the vendors have solved the problem permanently, 
we will have to make the best of the current situation and take
Denial-of-Service attacks (including frags) into account when
doing our Contingency Planning.  I have privately talked to a 
couple about this problem and mentioned a modest method or two 
about preventing them.  Some vendors have been receptive, some 
not.  Perhaps one day, frag attacks will be a thing of the past.  
Time will tell.

Last, but not least, I would like to mention that firewalls
are *security* products first and network products second.
Network products are designed to provide the maximum bandwidth
and connectivity possible.  Firewalls are designed to restrict 
network connectivity to only authorized connections/services.  
If you want bandwidth, buy a router.  If you want security, 
buy a decent firewall.

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Fixed Price Contracts - Expert Information Security Officers
Phone: (317) 573-0800     Fax: (317) 573-0817