Firewall Wizards mailing list archives
RE: Borderware Ping Server
From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 17 Oct 2001 22:40:45 +0200
Another good design decision might be - we know what is allowed everything else we trash... Just think about it Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr com] Sent: ד 17 אוקטובר 2001 17:42 To: Ofir Arkin; 'Don Ng'; firewall-wizards () nfr com Subject: RE: [fw-wiz] Borderware Ping Server Ofir Arkin wrote:
This is not only the question of ping of death. There is also a very important issue of how this ping server/proxy validates that the requests sent and received are truly genuine ICMP echo requests and replies. Especially data in the data portion of the ICMP echo request and reply, message length and other gizmos.
Right. What you're really raising is the old proxy/filter debate in a new form. :) I've run across it a couple times in the past.... ;) Proxies are _only_ valuable if they do extended state tracking and error checking. Very few proxies actually _do_ that kind of extended tracking and checking. By their usual implementation, though, they generally do better tracking and checking than filters - even "stateful" ones. Now, let me push the argument forward a step. First generation proxies were designed to deflect and prevent categories of attacks by being gateways that implemented minimized design subsets. That was a pretty good idea but we could have done better - we could have added not just attack defeating through good design, but specific detection of _known_ attacks. I.e.: let's say a web proxy defeats a WWW buffer overrun - identify the specific attack in the process of blocking it: now you've implemented what amounts to proactive intrusion detection and diagnosis. That's a really useful model; I had planned to go that way in the fwtk/Gauntlet back in the early '90s but there wasn't enough time in the day to add that kind of capability. I bet that's where it'll all end up, eventually. So you'd have something that would proxy ping, do intrusion detection for it, and error detection for it. Since the proxy would "understand" ping it'd be a good place to look at doing statistical anomaly detection for ping-specific stuff. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Borderware Ping Server Don Ng (Oct 09)
- Re: Borderware Ping Server Marcus J. Ranum (Oct 09)
- RE: Borderware Ping Server Ofir Arkin (Oct 17)
- RE: Borderware Ping Server Matthew Kirkwood (Oct 18)
- RE: Borderware Ping Server Marcus J. Ranum (Oct 18)
- RE: Borderware Ping Server Ofir Arkin (Oct 18)
- RE: Borderware Ping Server Marcus J. Ranum (Oct 20)
- RE: Borderware Ping Server Ofir Arkin (Oct 23)
- RE: Borderware Ping Server Matthew Kirkwood (Oct 23)
- RE: Borderware Ping Server Ofir Arkin (Oct 23)
- RE: Borderware Ping Server Ofir Arkin (Oct 17)
- Re: Borderware Ping Server Marcus J. Ranum (Oct 09)
- Re: Borderware Ping Server Paul Zatychec (Oct 18)
- <Possible follow-ups>
- RE: Borderware Ping Server Peter Cox (Oct 11)
- RE: Borderware Ping Server Don Ng (Oct 11)