Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lenghty)
From: Robert Stahlbrand <robert () nmac ericsson se>
Date: Thu, 27 Aug 1998 16:12:49 +0200 (MET DST)
Hi again! On Tue, 25 Aug 1998, Eric Vyncke wrote:
Ryan, Comments in-line. At 09:58 25/08/98 -0700, Ryan Russell wrote:[performance reasons snipped] If I may also make a sweeping statement: Performance isn't relevant to security applications. I.e. you can't say "it will hurt performance, so we'll leave out some security." If that were a consideration, we wouldn't use firewalls. Realistically, that means that if it's too slow we buy bigger boxes or suffer along at a slower pace.100% agree with you, of course.
Of course...
Nevertheless, the transit time can be critical for some applications.5) redundant paths... a firewall is a single point of traffic concentration, so, a firewall can reassemble all IP fragments because a firewall `sees' all of the fragments. From a router perspective, a router may not see all fragments due to load balancing among links, route flapping, ... so a router CANNOT make IP defragmentation.
And musn't do according to RFC:s!
Well...no. EVERY router can't defrag, but there's no reason my single access router in front of my firewall/IDS/whatever can't.
I don't think any router should do defrag! We must understand that a router and a firewall are designed for different purposes. To be able to do filtering on routers is only an option. A firewall do a lot of things not accoring to any RFC but the main thing here is to protect networks from any thinkable attack and if there is a possibility to do defrag-attack then it's the firewall who should handle it and that's it!
screening router could defrag. I guess/hope (and this is only a guess as I'm not in the Cisco engineering team) that defrag will be added to IOS firewall feature.
That is Ciscos concern but if I was in charge I would never do this.
But, I still do not want that either the core Internet routers or the internal routers defrag...Conclusion, for security reason you MUST defragment IP datagrams at one location (i.e. the firewall), for technical reasons it is mostly IMPOSSIBLE to defragment in a router.Agreed that you must defrag for security apps. PIX and FW-1 are both routers, and you expect them to defrag, but you say it cant be done? Cisco routers are also firewalls, if you apply access-lists.. they won't defrag... they need to, since there are problems with access-lists of Ciscos (probably others too, but I really only know Ciscos.) It's certainly not impossible for routers to defrag if they want.;-) personaly, I would not qualify PIX (or FW-1) as a router ;-) They are forwarding packets but do not/should not run a routing protocol to build dynamic routing table.
Correct!
Now, having said this, we can start the war between application gateway firewalls (which often rely on host TCP/IP stack for defragmentation) and `stateful inspection' firewalls (which must defragment).No war neccessary... SPF/SMLI/SI firewalls need to defrag to operate properly. None of the ones on the market (so far as I know) do so currently. All AGs do, by their nature. As far as frags go, AGs win.:-)
It shouldn't be any problem to do this for any kind of firewall. I got an email from Cisco that they have made a fix to the defrag-problem. This is unofficial but it seems like it wasn't a very big deal to fix it.
And even ask whether any IDS is making defragmentation ;-)
Which isn't very easy. Got another design and I cannot see how this could be implemented.
If I could make my access/internal router defrag, an IDS would be a lot more useful to me.That is a very valid point for Internet attacks, but, I fear that a lot of attacks are coming from the inside. And internal traffic should not be fragmented so current IDS should work. Nevertheless, having a specific configuration command that forbid the routing of fragmented packets would be really desirable in an intranet situation (hoping you do not have Token Ring or FDDI).
Or SLIP...
If for one would love to have the option of my Cisco defragging for me.I agree that this could be really useful (mainly for screening routers) but not as a default behavior.
One most know that this would really reduce the performace of the router.
Thanks for your comments anyway -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
/Robert Stahlbrand, Ericsson Telecom AB
Current thread:
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- <Possible follow-ups>
- Re: Cisco PIX bug, discussions (lenghty) Ryan Russell (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 25)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)