Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall comparison in Data Communications

From: "Ge' Weijers" <ge () progressive-systems com>
Date: Thu, 3 Jun 1999 11:39:21 -0400
On Thu, Jun 03, 1999 at 07:44:58AM -0400, Steven M. Bellovin wrote:

Right.  More fundamentally, firewalls can't protect you against bugs at
a higher level of the protocol stack.  An IP+port number firewall (i.e.,
a typical packet filter) is blind to TCP holes.  For that matter, it's
blind to attacks based on other portions of the IP packet that it doesn't
look at -- 'ping of death' comes to mind.


Even dynamic packet filters (marketing-speak: Multi-Layer Stateful
Inspection firewalls) only have limited value here. Most of them don't
match 'host/network unreachable' ICMP messages to actual connection
attempts. Not that this _can't_ be done correctly, the overhead is
just considered too high. And there's your hole to get a variant of
ping of death through.

Ge'


-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220
Previous By Date Next
Previous By Thread Next

Current thread: