Re: Cisco PIX bug, discussions (lenghty)

[Robert Stahlbrand <robert () nmac ericsson se>]

Hi again!

On Tue, 25 Aug 1998, Eric Vyncke wrote:

> Ryan,
>
> Comments in-line.
>
> At 09:58 25/08/98 -0700, Ryan Russell wrote:
> > [performance reasons snipped]
> >
> > If I may also make a sweeping statement:
> >
> > Performance isn't relevant to security applications.  I.e. you
> > can't say "it will hurt performance, so we'll leave out some
> > security."  If that were a consideration, we wouldn't use firewalls.
> > Realistically, that means that if it's too slow we buy bigger
> > boxes or suffer along at a slower pace.
>
> 100% agree with you, of course.

Of course...

> Nevertheless, the transit time can be critical for some
> applications.
>
> > > 5) redundant paths... a firewall is a single point of traffic
> > > concentration, so, a firewall can reassemble all IP fragments because
> > > a firewall `sees' all of the fragments. From a router perspective,
> > > a router may not see all fragments due to load balancing among
> > > links, route flapping, ... so a router CANNOT make IP defragmentation.

And musn't do according to RFC:s!

> > Well...no.  EVERY router can't defrag, but there's no reason my
> > single access router in front of my firewall/IDS/whatever can't.

I don't think any router should do defrag! We must understand that a
router and a firewall are designed for different purposes. To be able to
do filtering on routers is only an option.
A firewall do a lot of things not accoring to any RFC but the main thing
here is to protect networks from any thinkable attack and if there is a
possibility to do defrag-attack then it's the firewall who should handle
it and that's it!

> screening router could defrag. I guess/hope (and this is only a guess
> as I'm not in the Cisco engineering team) that defrag will
> be added to IOS firewall feature.

That is Ciscos concern but if I was in charge I would never do this.
 
> But, I still do not want that either the core Internet routers
> or the internal routers defrag...
>
> > > Conclusion, for security reason you MUST defragment IP datagrams
> > > at one location (i.e. the firewall), for technical reasons it is
> > > mostly IMPOSSIBLE to defragment in a router.
> >
> > Agreed that you must defrag for security apps.  PIX and FW-1
> > are both routers, and you expect them to defrag, but you say
> > it cant be done?  Cisco routers are also firewalls, if you apply
> > access-lists.. they won't defrag... they need to, since there
> > are problems with access-lists of Ciscos (probably others
> > too, but I really only know Ciscos.)  It's certainly not impossible
> > for routers to defrag if they want.
>
> ;-) personaly, I would not qualify PIX (or FW-1) as a router ;-) They are
> forwarding packets but do not/should not run a routing protocol
> to build dynamic routing table.

Correct!

> > > Now, having said this, we can start the war between application
> > > gateway firewalls (which often rely on host TCP/IP stack for
> > > defragmentation) and `stateful inspection' firewalls (which must
> > > defragment).
> >
> > No war neccessary... SPF/SMLI/SI firewalls need to defrag
> > to operate properly.  None of the ones on the market (so
> > far as I know) do so currently.  All AGs do, by their nature.
> > As far as frags go, AGs win.
>
> :-)

It shouldn't be any problem to do this for any kind of firewall. I got an
email from Cisco that they have made a fix to the defrag-problem. This is
unofficial but it seems like it wasn't a very big deal to fix it.

> > > And even ask whether any IDS is making defragmentation ;-)

Which isn't very easy. Got another design and I cannot see how this could
be implemented.

> > If I could make my access/internal router defrag, an IDS
> > would be a lot more useful to me.
>
> That is a very valid point for Internet attacks, but, I fear
> that a lot of attacks are coming from the inside. And internal
> traffic should not be fragmented so current IDS should work.
>
> Nevertheless, having a specific configuration command
> that forbid the routing of fragmented packets would be really
> desirable in an intranet situation (hoping you do not have Token
> Ring or FDDI).

Or SLIP...

> > If for one would love to have the option of my Cisco defragging for me.
>
> I agree that this could be really useful (mainly for screening
> routers) but not as a default behavior.

One most know that this would really reduce the performace of the router.

> Thanks for your comments anyway
>
> -eric
>
> Eric Vyncke      
> Technical Consultant               Cisco Systems Belgium SA/NV
> Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
> E-mail: evyncke () cisco com          Mobile: +32-75-312.458

/Robert Stahlbrand, Ericsson Telecom AB