Firewall Wizards mailing list archives
Re: Win 2003 and PiX
From: Luca Berra <bluca () comedia it>
Date: Sat, 10 May 2003 23:55:55 +0200
Paul Robertson wrote:
On Sat, 10 May 2003, Luca Berra wrote:seems that pix does not grok EDNS and i do not think you can remove this.Brian Ford's posted that 6.3 allows removal...
The link I posted comes from pix 6.3 documentation, besides i cannot find how to do the changes Brian writes about.
RANT1: when will firerewall vendors stop hardcoding arbitrary constraint in their products?Counter-rant: Enforcing limits in application layers is a *good* thing from a security perspective. The failure here *isn't* the limitation, it's getting the fix in by the time the protocol or implementation changes are widely deployed.
i said _hardcoding_arbitrary_limits_, which should mean is _acceptable_ (*) to have a limit, it is _acceptable_ also if these limits are the default. What is IMHO *bad* in this is that the limit was hardcoded and that there were no 'Off button'. But pix 6.3 documentation available on www.cisco.com STATE that PIX ENFORCES a limit of 512 bytes on dns udp packets, and if Cisco changed this, they did not take the time to document it (or i am too silly to find that document). So could someone from Cisco clarify on this issue?
Limts are a *good* way to stop buffer overflows, and in this case, I think Cisco was doing the right thing originally. They dropped the ball on keeping up to date. It doesn't hurt them business-wise that folks would need to keep the software up to date either, so I'm puzzled that they didn't have a fix ready to roll. I'm all for "On by default" too, though I think "No off button originally" is kind of short-sighted.
I am not sure i agree on this software updates are expensive (and not much of the expense is going license-wise). There is already good reason to upgrade for getting new features (having numbered access lists would be a sufficent reason to upgrade in my view) and fixing genuine bugs. I don't think asking customers to upgrade to drop imposed limits is a good market trick. (*) now i do not really believe that a firewall that sets limit on upper layer protocols without reimplementing them as a real proxy is bound to do any good. Pix in this case allows a dns client/server pair to negotiate EDNS, then shoots at it. I have seen firewalls allowing mail servers to negotiate STARTTLS then being unable to understand wtf was going on. Everyone here has seen ftp fixups from various vendors being exploited in most creative ways. Is this *good*? well... i can call it _acceptable_ based on the fact that implementing proxyes is expensive, but i still have to be convinced in calling this good. Regards, L. -- Luca Berra -- bluca () comedia it /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Win 2003 and PiX Iannaccone, Al (May 09)
- Re: Win 2003 and PiX Carson Gaspar (May 09)
- Re: Win 2003 and PiX Mikael Olsson (May 09)
- Re: Win 2003 and PiX Tony Rall (May 09)
- Re: Win 2003 and PiX Luca Berra (May 10)
- Re: Win 2003 and PiX Paul Robertson (May 10)
- Re: Win 2003 and PiX Luca Berra (May 11)
- Re: Win 2003 and PiX Paul Robertson (May 10)