Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re:Protecting publicly reacheable servers

From: <Michel.Ludolph () postbankmail nl>
Date: Wed, 28 Nov 2001 11:09:16 +0100


"Patrick M. Hausen" <hausen () punkt de> said:


My reasoning has always been that - given the state of
firewall products today - a static packet filter that
blocks all but port 80 would be the most appropriate
solution to offer some sort of protection to the server
machine.
So  basically, I have two questions to you all:

1. Do you aggree with me wrt to the firewall vs. packet filter 

topic?


Not completely. You need to be careful when using extended access lists
(filtering on port numbers) in combination with fragmented packets. A router
packet filter does not re-assemble fragmented packets, but sends them straight
through. Only the first fragment contains port data, the following fragments do
not and are therefore not denied by the packet filter.

A smart exploit may fool the packet filter: the first fragment pretends to
approach a legitimate port, access is granted, the following (malformed)
fragments are permitted as well.

A firewall re-assembles all packets before forwarding them and is therefore less
susceptible to this kind of attack.


Michel Ludolph
michel.ludolph () atosorigin com


-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: