Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lengthy)
From: Frank Willoughby <frankw () in net>
Date: Tue, 25 Aug 1998 23:36:45 -0500
At 09:58 AM 8/25/98 -0700, Ryan Russell allegedly wrote:
Agreed that you must defrag for security apps. PIX and FW-1 are both routers, and you expect them to defrag, but you say it cant be done? Cisco routers are also firewalls, if you apply access-lists.. they won't defrag... they need to, since there are problems with access-lists of Ciscos (probably others too, but I really only know Ciscos.) It's certainly not impossible for routers to defrag if they want.
Actually, FW-1 has the capability of behaving like an AG *IF* the "Security Servers" ("proxies" in the real world) are turned on. Although stateful inspection is a very useful feature, it takes a back seat to proxies in my book. Personally, I prefer AGs which use & promote the use of proxies over SPFs/SMLIs. Cisco claims to have "cut-through proxies". The docs I have seen so far seems to indicate that their use of the term "proxy" (in the normal firewall use of the term) is misleading. YMMV, but I would suggest you read their documentation first and then decide for yourself if the PIX is an AG or a PF. Maybe I'm missing something (please correct me if I am wrong), but it sure looks like a PF to me. At least Checkpoint can use proxies if they wanted to. Historically, they have claimed that SPF/SMLI is better. I disagree. Cisco doesn't even have proxies. Most firewalls have been/will be subject to frag attacks for a while. Until the vendors have solved the problem permanently, we will have to make the best of the current situation and take Denial-of-Service attacks (including frags) into account when doing our Contingency Planning. I have privately talked to a couple about this problem and mentioned a modest method or two about preventing them. Some vendors have been receptive, some not. Perhaps one day, frag attacks will be a thing of the past. Time will tell. Last, but not least, I would like to mention that firewalls are *security* products first and network products second. Network products are designed to provide the maximum bandwidth and connectivity possible. Firewalls are designed to restrict network connectivity to only authorized connections/services. If you want bandwidth, buy a router. If you want security, buy a decent firewall. Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. (c) Fortified Networks, Inc. - http://www.fortified.com/ Home of the Free Internet Firewall Evaluation Checklist Expert (vendor-neutral) Computer and Network Security Solutions Fixed Price Contracts - Expert Information Security Officers Phone: (317) 573-0800 Fax: (317) 573-0817
Current thread:
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- <Possible follow-ups>
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)