Firewall Wizards mailing list archives
Re:Protecting publicly reacheable servers
From: <Michel.Ludolph () postbankmail nl>
Date: Wed, 28 Nov 2001 11:09:16 +0100
"Patrick M. Hausen" <hausen () punkt de> said:My reasoning has always been that - given the state of firewall products today - a static packet filter that blocks all but port 80 would be the most appropriate solution to offer some sort of protection to the server machine. So basically, I have two questions to you all: 1. Do you aggree with me wrt to the firewall vs. packet filtertopic?
Not completely. You need to be careful when using extended access lists (filtering on port numbers) in combination with fragmented packets. A router packet filter does not re-assemble fragmented packets, but sends them straight through. Only the first fragment contains port data, the following fragments do not and are therefore not denied by the packet filter. A smart exploit may fool the packet filter: the first fragment pretends to approach a legitimate port, access is granted, the following (malformed) fragments are permitted as well. A firewall re-assembles all packets before forwarding them and is therefore less susceptible to this kind of attack. Michel Ludolph michel.ludolph () atosorigin com ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re:Protecting publicly reacheable servers Michel.Ludolph (Nov 28)