Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco PIX bug, discussions (lengthy)

From: John McDermott <jjm () jkintl com>
Date: Wed, 26 Aug 98 15:50:41 

--- On Tue, 25 Aug 1998 23:36:45 -0500  Frank Willoughby <frankw () in net> 
wrote:


At 09:58 AM 8/25/98 -0700, Ryan Russell allegedly wrote:



Agreed that you must defrag for security apps.  PIX and FW-1
are both routers, and you expect them to defrag, but you say
it cant be done?  Cisco routers are also firewalls, if you apply
access-lists.. they won't defrag... they need to, since there
are problems with access-lists of Ciscos (probably others
too, but I really only know Ciscos.)  It's certainly not impossible
for routers to defrag if they want.


Actually, FW-1 has the capability of behaving like an AG *IF* 
the "Security Servers" ("proxies" in the real world) are turned 
on.  Although stateful inspection is a very useful feature, 
it takes a back seat to proxies in my book.  Personally, I
prefer AGs which use & promote the use of proxies over SPFs/SMLIs.


I agree with this statement.  I believe that AGs are at the very least 
easier to understand and hence easier to manage to some extent.  Whether 
AGs or SPFs provide more security is another matter for another time.




...

Most firewalls have been/will be subject to frag attacks for 
a while.  Until the vendors have solved the problem permanently, 
we will have to make the best of the current situation and take
Denial-of-Service attacks (including frags) into account when
doing our Contingency Planning.  


I agree here, too, which prompts a question: is there some (simple) attack 
I can use to demonstrate that SPFs in their current form(s) are 
(inherently) less secure than proxies?  IOW I would like to set up a simple 
demo to show that the internal systems can be successfully attacked even 
with an SPF firewall in place. [I am *not* trying to prove SPFs better if 
such an attack cannot be found; but rather I'd like to demonstrate in a 
classroom that even with an SPF a network is not as secure as it might be.]

--john

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: