RE: COmpare Firewalls

["Joe Ippolito" <joe () joesnet com>]

I know that MS has addressed problems like "ping of death" to NT with
previous service packs;  See
http://support.microsoft.com/support/kb/articles/Q132/4/70.asp for a really
old one.  Does anyone out there know whether NT 4 SP5 (without MS Proxy's
packet filter) is still vulnerable to such attacks?  Just curious.

-----Original Message-----
From: Darren Reed [mailto:darrenr () reed wattle id au]
Sent: Thursday, September 09, 1999 5:16 AM
To: dwelch () best com
Cc: joe () joesnet com; firewall-wizards () nfr net
Subject: Re: COmpare Firewalls


In some email I received from Dameon D. Welch, sie wrote:
> An application layer filter can not protect your OS against certain DOS
> attacks such as a Ping of Death. A ping of death causes problems at the
> IP stack, which an application can not effectively protect. An application
> can filter based on IP addresses, but it's more like an access list for
> the application (like TCP Wrappers) versus kernel-level packet filtering.

Is this just ignorance or what ?  Well, I guess it depends on _what_ you
consider as being "protected" here.  If you want to include the firewall
itself, then if it just does application proxying, sure, it may die from
the Ping of Death.  But unless their product is a total piece of garbage.
whatever is behind it should be immune to the Ping of Death.  (When I say
garbage, I'm implying that they must have a ICMP relay program that not
only receives a PoD without dieing but creates one itself, which I would
consider rather extraordinary for a firewall to do).

FWIW, the application proxy should be able to do filtering on things like
source routing (socket options), bad source addresses/port numbers - other
nasty packets such as those fragmented inside the TCP header aren't going
to be a worry because they need to be reassembled by the proxy firewall
and will be treated as a whole by the firewall and not resent on as those
nastygrams.

Darren