Re: Win 2003 and PiX

[Luca Berra <bluca () comedia it>]

Paul Robertson wrote:
> On Sat, 10 May 2003, Luca Berra wrote:
>
> > seems that pix does not grok EDNS and i do not think you can remove
> > this.
>
>
> Brian Ford's posted that 6.3 allows removal...
The link I posted comes from pix 6.3 documentation, besides i cannot
find how to do the changes Brian writes about.

> > RANT1:  when will firerewall vendors stop hardcoding arbitrary
> > constraint in their products?
>
>
> Counter-rant:
>
> Enforcing limits in application layers is a *good* thing from a security
> perspective.  The failure here *isn't* the limitation, it's getting the
> fix in by the time the protocol or implementation changes are widely
> deployed.

i said _hardcoding_arbitrary_limits_, which should mean is _acceptable_
(*) to have a limit, it is _acceptable_ also if these limits are the
default. What is IMHO *bad* in this is that the limit was hardcoded and
that there were no 'Off button'.

But pix 6.3 documentation available on www.cisco.com STATE that PIX
ENFORCES a limit of 512 bytes on dns udp packets, and if Cisco changed
this, they did not take the time to document it (or i am too silly to
find that document).

So could someone from Cisco clarify on this issue?

> Limts are a *good* way to stop buffer overflows, and in this case, I
> think Cisco was doing the right thing originally.  They dropped the
> ball on keeping up to date.  It doesn't hurt them business-wise that
> folks would need to keep the software up to date either, so I'm
> puzzled that they didn't have a fix ready to roll.  I'm all for "On by
> default" too, though I think "No off button originally" is kind of
> short-sighted.

I am not sure i agree on this software updates are expensive (and not
much of the expense is going license-wise). There is already good reason
to upgrade for getting new features (having numbered access lists would
be a sufficent reason to upgrade in my view) and fixing genuine bugs. I
don't think asking customers to upgrade to drop imposed limits is a good
market trick.

(*) now i do not really believe that a firewall that sets limit on upper
layer protocols without reimplementing them as a real proxy is bound to
do any good.

Pix in this case allows a dns client/server pair to negotiate EDNS, then
shoots at it.
I have seen firewalls allowing mail servers to negotiate STARTTLS then
being unable to understand wtf was going on.
Everyone here has seen ftp fixups from various vendors being exploited
in most creative ways.
Is this *good*?
well... i can call it _acceptable_ based on the fact that implementing
proxyes is expensive, but i still have to be convinced in calling this good.

Regards,

L.

-- 
Luca Berra -- bluca () comedia it
 /"\
 \ /     ASCII RIBBON CAMPAIGN
  X        AGAINST HTML MAIL
 / \

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards