Re: Firewall comparison

[Bennett Todd <bet () newritz mordor net>]

1999-03-01-16:13:44 John McDonald:
> The only problem with the firewalls you've mentioned....They cannot
> detect fragmented packet UDP storms..which is the very first penetration
> test we attempt to penetrate the firewalls of very recognizable
> companies.

What's a "fragmented packet UDP storm" supposed to do?

If you've got a healthy OS with a robust IP stack, it's not going to crash the
system, and if you aren't running routing through the host, and aren't running
any daemons listening on UDP ports, what's left? Bandwidth saturation of the
upstream link? That's not a penetration, that's a DoS, no firewall on the
downstream end can do anything about it; the only fix for such a DoS is
filtering it at the upstream end.

> We have run penetration test on every firewall imaginable over the course of
> the last five years. Our analysis has lead us to Firewall-1 being the most
> secure firewall, when properly configured, on a Unix platform.

What's the name of your company again? I will definitely want to make a note
of it.

I suppose I ought to be glad that there are people like you around; if anybody
listens to you, they become way easier targets, which takes some of the heat
off me --- "I don't have to outrun the bear, I only have to outrun _you_" kind
of thing.

-Bennett