Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration testing via shrinkware

From: "tqbf" <ashland () pobox com>
Date: Mon, 21 Sep 1998 18:34:34 -0400 (EDT)
True, but the same can be said for firewalls, in that there are always new
attack mechanisms being developed to defeat firewalls; so in a sense they
are never complete either. Certification of firewalls is usually


I do not believe this is the case. I think most attacks against firewalls
(attacks designed to subvert the protection provided by firewalls) take
advantage of implementation problems (ie, SYN+FIN ignored) or design
problems (ie, first-fragment filtering). These problems exploit defects in
firewall software; they violate design requirements.

The discovery of the ToolTalk RPC hole last month did not violate a design
goal of CCS or ISS; neither product was designed to detect the problem.
When detection of this vulnerability is built into scanner products,
failure to detect the ttdbserverd overflow will be a defect, in the same
sense as bad fragment filtering is a defect in a firewall. 

We're comparing apples to oranges here, though.

-----------------------------------------------------------------------------
Thomas H. Ptacek                          Network Security Research Team, NAI
-----------------------------------------------------------------------------
                                 "If you're so special, why aren't you dead?"
Previous By Date Next
Previous By Thread Next

Current thread: