Firewall Wizards mailing list archives
RE: Borderware Ping Server
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 20 Oct 2001 20:51:26 +0200
Marcus,
Some old timers did not understand what I mean... I guess.
We let the FW deal with only what we teach him to recognized, and what
is a legitimate IPv4 traffic. This mean that if the firewall receives a
packet with an Unused bit set, which is against the RFCs recommendations
it drops it instantly because it is not a legit IPv4 traffic. No
questions asked. Another example might be with ICMP request packets,
they need to be with a certain length. Some of those should not cross a
Router, etc, etc, etc, and the number of examples we can have is huge.
Weird combinations of the TOS field, weird combinations of the IP
Options field, and more.
I was demonstrating this in an old paper I wrote ("Unverified Fields - A
Problem with Firewalls & Firewall Technology Today", available from
http://www.sys-security.com/html/papers.html).
It is more than common knowledge that today's firewalls just do not
understand IPv4 as they should. They overlook some fields and look at
the obvious were we expect them to look for the not expected.
What we need is a device which understands IPv4, and the applications,
not a dumb tunnel.
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com] On Behalf Of Marcus J. Ranum
Sent: ו 19 אוקטובר 2001 4:16
To: Ofir Arkin; 'Don Ng'; firewall-wizards () nfr com
Subject: RE: [fw-wiz] Borderware Ping Server
Ofir Arkin wrote:
Another good design decision might be - we know what is allowed everything else we trash...
You mean "that which is not expressly permitted is denied"? Great idea!!! I know a lot of old-timers been saying that kind of thing for years. ;) mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security Inc. Work: http://www.nfr.com Play: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Borderware Ping Server Don Ng (Oct 09)
- Re: Borderware Ping Server Marcus J. Ranum (Oct 09)
- RE: Borderware Ping Server Ofir Arkin (Oct 17)
- RE: Borderware Ping Server Matthew Kirkwood (Oct 18)
- RE: Borderware Ping Server Marcus J. Ranum (Oct 18)
- RE: Borderware Ping Server Ofir Arkin (Oct 18)
- RE: Borderware Ping Server Marcus J. Ranum (Oct 20)
- RE: Borderware Ping Server Ofir Arkin (Oct 23)
- RE: Borderware Ping Server Matthew Kirkwood (Oct 23)
- RE: Borderware Ping Server Ofir Arkin (Oct 23)
- RE: Borderware Ping Server Ofir Arkin (Oct 17)
- Re: Borderware Ping Server Marcus J. Ranum (Oct 09)
- Re: Borderware Ping Server Paul Zatychec (Oct 18)
- <Possible follow-ups>
- RE: Borderware Ping Server Peter Cox (Oct 11)
- RE: Borderware Ping Server Don Ng (Oct 11)