Firewall Wizards mailing list archives
Re: Firewall comparison in Data Communications
From: dnewman () cmp com
Date: Thu, 3 Jun 1999 11:45:24 -0400
Most SPF products (including all those in the Data Comm) has specific anti-ping o' death routines. True, this usually isn't part of the SPF itself. But there are safeguards in place against common attacks like IP spoofing, SYN flooding, ping of death, and the like. In the case of the ping of death, I presume these routines drop ICMP packets with a length greater than 64 kbytes. I'm curious to hear--what variant of the ping of death would be allowed through? dn "Ge' Weijers" <ge () progressive-systems com> on 06/03/99 11:39:21 AM To: "Steven M. Bellovin" <smb () research att com> cc: Robert Graham <robert_david_graham () yahoo com>, Matt Curtin <cmcurtin () interhack net>, David Newman <dnewman () data com>, firewall-wizards () nfr net, firewalls () lists gnac net bcc: David Newman/NYC/CMPNotes Subject: Re: Firewall comparison in Data Communications On Thu, Jun 03, 1999 at 07:44:58AM -0400, Steven M. Bellovin wrote:
Right. More fundamentally, firewalls can't protect you against bugs at a higher level of the protocol stack. An IP+port number firewall (i.e., a typical packet filter) is blind to TCP holes. For that matter, it's blind to attacks based on other portions of the IP packet that it doesn't look at -- 'ping of death' comes to mind.
Even dynamic packet filters (marketing-speak: Multi-Layer Stateful Inspection firewalls) only have limited value here. Most of them don't match 'host/network unreachable' ICMP messages to actual connection attempts. Not that this _can't_ be done correctly, the overhead is just considered too high. And there's your hole to get a variant of ping of death through. Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- Re: Firewall comparison in Data Communications, (continued)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 02)
- RE: Firewall comparison in Data Communications David Newman (Jun 02)
- RE: Firewall comparison in Data Communications Kevin Steves (Jun 14)
- RE: Firewall comparison in Data Communications W J La Cholter (Jun 03)
- Re: Firewall comparison in Data Communications Don Kendrick (Jun 03)
- RE: Firewall comparison in Data Communications Russ (Jun 03)
- RE: Firewall comparison in Data Communications csingletary (Jun 03)
- RE: Firewall comparison in Data Communications Rob Polansky (Jun 04)
- Re: Firewall comparison in Data Communications Steven M. Bellovin (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 03)
- Re: Firewall comparison in Data Communications dnewman (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 03)
- Re: Firewall comparison in Data Communications Kevin Steves (Jun 14)
- RE: Firewall comparison in Data Communications Robert Graham (Jun 03)