Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lengthy)
From: John McDermott <jjm () jkintl com>
Date: Wed, 26 Aug 98 15:50:41
--- On Tue, 25 Aug 1998 23:36:45 -0500 Frank Willoughby <frankw () in net> wrote:
At 09:58 AM 8/25/98 -0700, Ryan Russell allegedly wrote:Agreed that you must defrag for security apps. PIX and FW-1 are both routers, and you expect them to defrag, but you say it cant be done? Cisco routers are also firewalls, if you apply access-lists.. they won't defrag... they need to, since there are problems with access-lists of Ciscos (probably others too, but I really only know Ciscos.) It's certainly not impossible for routers to defrag if they want.Actually, FW-1 has the capability of behaving like an AG *IF* the "Security Servers" ("proxies" in the real world) are turned on. Although stateful inspection is a very useful feature, it takes a back seat to proxies in my book. Personally, I prefer AGs which use & promote the use of proxies over SPFs/SMLIs.
I agree with this statement. I believe that AGs are at the very least easier to understand and hence easier to manage to some extent. Whether AGs or SPFs provide more security is another matter for another time.
...
Most firewalls have been/will be subject to frag attacks for a while. Until the vendors have solved the problem permanently, we will have to make the best of the current situation and take Denial-of-Service attacks (including frags) into account when doing our Contingency Planning.
I agree here, too, which prompts a question: is there some (simple) attack I can use to demonstrate that SPFs in their current form(s) are (inherently) less secure than proxies? IOW I would like to set up a simple demo to show that the internal systems can be successfully attacked even with an SPF firewall in place. [I am *not* trying to prove SPFs better if such an attack cannot be found; but rather I'd like to demonstrate in a classroom that even with an SPF a network is not as secure as it might be.] --john ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Cisco PIX bug, discussions (lengthy) John McDermott (Aug 27)
- Re: Cisco PIX bug, discussions (lengthy) Aleph One (Aug 28)