Firewall Wizards mailing list archives
Re: Firewall comparison
From: Bennett Todd <bet () newritz mordor net>
Date: Mon, 1 Mar 1999 16:38:51 +0000
1999-03-01-16:13:44 John McDonald:
The only problem with the firewalls you've mentioned....They cannot detect fragmented packet UDP storms..which is the very first penetration test we attempt to penetrate the firewalls of very recognizable companies.
What's a "fragmented packet UDP storm" supposed to do? If you've got a healthy OS with a robust IP stack, it's not going to crash the system, and if you aren't running routing through the host, and aren't running any daemons listening on UDP ports, what's left? Bandwidth saturation of the upstream link? That's not a penetration, that's a DoS, no firewall on the downstream end can do anything about it; the only fix for such a DoS is filtering it at the upstream end.
We have run penetration test on every firewall imaginable over the course of the last five years. Our analysis has lead us to Firewall-1 being the most secure firewall, when properly configured, on a Unix platform.
What's the name of your company again? I will definitely want to make a note of it. I suppose I ought to be glad that there are people like you around; if anybody listens to you, they become way easier targets, which takes some of the heat off me --- "I don't have to outrun the bear, I only have to outrun _you_" kind of thing. -Bennett
Current thread:
- RE: Firewall comparison John McDonald (Mar 01)
- Re: Firewall comparison Bennett Todd (Mar 01)
- Re: Firewall comparison Steve George (Mar 03)
- <Possible follow-ups>
- RE: Firewall comparison ark (Mar 02)
- Re: Firewall comparison Matt Curtin (Mar 03)
- Re: Firewall comparison Christopher Nicholls (Mar 04)
- Re: Firewall comparison wolt (Mar 05)
- Re: Firewall comparison dreamwvr (Mar 05)
- Re: Firewall comparison Christopher Nicholls (Mar 04)