Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: "Paul D. Robertson" <proberts () clark net>
Date: Sun, 15 Feb 1998 09:50:29 -0500 (EST)
On Sun, 15 Feb 1998, Darren Reed wrote:


IP packets can be rebuilt at firewalls, doing packet filtering, but
it can be construed to be a `bad thing' on the principle that gateways
(or routers) don't reassemble fragments and just pass packets on.


I'm curious as to why this is a "bad thing"?  Reassembly prior to passing 
to the packet filtering layer gets rid of a whole class of attack.  Most 
of the time these days fragments all travel the same path relatively 
quickly, and the only major disadvantage I can see is that the gateway's 
stack buffering needs to be large, and hopefully indexed rather than 
linearly addressed for large sites, but that's more of an implementation 
issue.


I wonder how FW-1 would stack up to the sort of tests that SNI put
the various IDS systems through.


I suppose I wasn't the first to wonder this.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280
Previous By Date Next
Previous By Thread Next

Current thread: