Firewall Wizards mailing list archives
Re: Win 2003 and PiX
From: Paul Robertson <proberts () patriot net>
Date: Sat, 10 May 2003 10:44:07 -0400 (EDT)
On Sat, 10 May 2003, Luca Berra wrote:
seems that pix does not grok EDNS and i do not think you can remove this.
Brian Ford's posted that 6.3 allows removal...
RANT1: when will firerewall vendors stop hardcoding arbitrary constraint in their products?
Counter-rant:Enforcing limits in application layers is a *good* thing from a security perspective. The failure here *isn't* the limitation, it's getting the fix in by the time the protocol or implementation changes are widely deployed.
Limts are a *good* way to stop buffer overflows, and in this case, I think Cisco was doing the right thing originally. They dropped the ball on keeping up to date. It doesn't hurt them business-wise that folks would need to keep the software up to date either, so I'm puzzled that they didn't have a fix ready to roll. I'm all for "On by default" too, though I think "No off button originally" is kind of short-sighted.
Heck, the reason HTTP is such a PITA to deal with is that it's a limitless protocol.
Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Win 2003 and PiX Iannaccone, Al (May 09)
- Re: Win 2003 and PiX Carson Gaspar (May 09)
- Re: Win 2003 and PiX Mikael Olsson (May 09)
- Re: Win 2003 and PiX Tony Rall (May 09)
- Re: Win 2003 and PiX Luca Berra (May 10)
- Re: Win 2003 and PiX Paul Robertson (May 10)
- Re: Win 2003 and PiX Luca Berra (May 11)
- Re: Win 2003 and PiX Paul Robertson (May 10)