Firewall Wizards mailing list archives
Re: CERT vulnerability note VU# 539363
From: Martin <marty () supine com>
Date: Thu, 17 Oct 2002 00:05:44 +1000
$author = "Mikael Olsson" ;
If you keep state, you will be vulnerable to state table overflows. Period. The only real question is: how much work does the attacker need to put in before it becomes painful for the networks that the firewall is protecting? Is being able to resist a 1 Mbps stream (~4500 pps) "Not vulnerable"? Is being able resist a 34 Mbps stream (~150 kpps) "Not vulnerable"? Or should every single firewall vendor report in and say "Vulnerable", and describe what the limit is?
If a vendor's product description claims a capacity of throughput that can be handled by the product then that product is particulary vunerable if "overflow stream" is less then "claimed capacity". But as you point out it would be important to find the limits of all products and what happens when the state table overflows because products can always be deployed without heed to vendor information. For firewall setups that don't have a vendor or a specific product (ie. Linux, *BSD, etc.etc.) it would also be handy to know their limits and how they fail.
And, yes, ALG-only firewalls can also be overloaded. It's just a different type of 'state'.
Resource exhaustion is possible in almost any scenario, it is more important to find out when and how things fail to ensure that failure only results in a loss of connectivity and not a loss of security. marty -- You need only two tools, WD-40 and duct tape. If it doesn't move and it should, use the WD-40. If it moves and shouldn't, use the tape. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: CERT vulnerability note VU# 539363, (continued)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- RE: CERT vulnerability note VU# 539363 Ofir Arkin (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 R. DuFresne (Oct 16)
- Re: CERT vulnerability note VU# 539363 Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul D. Robertson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Frank Knobbe (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 Mikael Olsson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Philip J. Koenig (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 17)