Re: CERT vulnerability note VU# 539363

[Martin <marty () supine com>]

$author = "Mikael Olsson" ;
> If you keep state, you will be vulnerable to state table overflows. 
> Period.  The only real question is: how much work does the attacker 
> need to put in before it becomes painful for the networks that the 
> firewall is protecting?  Is being able to resist a  1 Mbps stream 
> (~4500 pps) "Not vulnerable"?  Is being able resist a 34 Mbps stream
> (~150 kpps) "Not vulnerable"?  Or should every single firewall
> vendor report in and say "Vulnerable", and describe what the limit is?

If a vendor's product description claims a capacity of throughput that can 
be handled by the product then that product is particulary vunerable if 
"overflow stream" is less then "claimed capacity". But as you point out it
would be important to find the limits of all products and what happens when
the state table overflows because products can always be deployed without
heed to vendor information.

For firewall setups that don't have a vendor or a specific product (ie. 
Linux, *BSD, etc.etc.) it would also be handy to know their limits and
how they fail. 


> And, yes, ALG-only firewalls can also be overloaded. It's just a 
> different type of 'state'.

Resource exhaustion is possible in almost any scenario, it is more important
to find out when and how things fail to ensure that failure only results in
a loss of connectivity and not a loss of security.

marty

--
You need only two tools, WD-40 and duct tape. If it doesn't move and
it should, use the WD-40. If it moves and shouldn't, use the tape.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards