Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxy 2.0 secure? (AG vs. SPF)

From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 7 Jul 1998 09:40:20 -0700



AGs always rebuild frags in one way, correct?



correct



They don't have to know about each inside stack, correct?



wrong. They should know each inside stack, because a HP Printer may handle
fragments, tcp options etc. differently than a NT 3.51 machine or a Linux

box.

Take a look at the SNI Paper about IDS' , there you can read how they act
differently on behalf of fragment ages (favors newest/oldest fragment ...)
Your Sun FW-1 may know the correct handling from the RFC's but not all
internal machines may know these too.
And this is bad for security.


But if the AG already defragged the packets, then there aren't
the weird fragments going inside, right?  This assumes that
your AG doesn't have to fragment on the way inside, or
some intermediate device frags for you in such a way
as to wipe out inside machines by chance.

                         Ryan
Previous By Date Next
Previous By Thread Next

Current thread: