Re: Cisco PIX bug, discussions (lenghty)

[Robert Stahlbrand <robert () nmac ericsson se>]

here we go...

On Wed, 26 Aug 1998, Euan wrote:

> > > Now, having said this, we can start the war between application
> > > gateway firewalls (which often rely on host TCP/IP stack for
> > > defragmentation) and `stateful inspection' firewalls (which must
> > > defragment).
> >
> > No war neccessary... SPF/SMLI/SI firewalls need to defrag
> > to operate properly.  None of the ones on the market (so
> > far as I know) do so currently.  All AGs do, by their nature.
> > As far as frags go, AGs win.
> Firewall-1 v3.0 manual, p350:
>
> "Firewall-1 performs virtual packet reassembly, and does not send a packet
> until all it's fragments have been collected.  The algorithm used is
> stricter than the standard packet reassembly algorithm, and does not permit
> overlays".
>
> So it would appear that at least one SMLI firewall on the market does
> defrag.  Of course this takes us back to the DoS attacks hinted at
> previously...
>
> -Euan.


One interesting thing about FW-1 one is that it seems to bug if you send
FIN+frag-packet (read more in Phrack-Magazine 48 Uriels Stelth scanner, 51
Fyodors nmap) to a machine behind the firewall and you choose to drop the
packet instead of reject it. The log says that the packet is dropped but
it is not! If the machine on the inside are permitted to answer it does
and you can scan hosts for open ports. This bug is at least a half-year
old and I have tried to bring it to attention before so maybe it's fixed
but I havn't seen any statment that prooves it.

/Robert Stahlbrand, Ericsson Telecom AB

"Real hackers don't die, their TTL expires."