Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
I would have to disagree wholeheartedly.

Verifying IP checksums should go without saying. In order to defragment
a fragmented stream of IP packets, you must store each fragment until
you have *all* of them. Thus this certainly DOES take memory and tax
the firewall. Firewalls can break down (high CPU utilization) doing
nothing but forwarding. If you plop firewall functionality onto a PIX
(which is a *highly* underpowered piece of hardware), you can end up
hammering the CPU. A box running a full OS such as Solaris and FW-1 is
just as likely to suffer from CPU exhaustion. If you force border
firewalls to defragment everything on fairly high-speed, highly utilized
links, you can expect a performance hit.

-Jeff

Bill Royds wrote:
>
> I would think any firewall worthy of the name would verify that the IP frames are valid, even if they were not checking the application data. It is necessary to maintain the IP state they claim for stateful packet inspection so it would be no overhead to transmit the packets de-fragmented.
>
> -----Original Message-----
> From: owner-idsuow.edu.au [mailto:owner-idsuow.edu.au]On Behalf Of
> Greg Shipley
> Sent: Thursday, May 03, 2001 14:37
> To: idsuow.edu.au
> Subject: RE: IDS: RE: sequence No.
>
> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> -----------------------------------------------------------------------------
>
> On Wed, 2 May 2001, Bill Royds wrote:
>
> > I would think that a proper network architecture would have a border
> > router that (heresy, heresy) de-fragments packets before they enter
> > the local network. Then any IDS would be looking at a canonical format
> > for packets. This might not be the format that a particular host would
> > get if the host did the defragmentation but it would eliminate many of
> > the Ptacek/Newsham gotchas in IDS.
>
> And that would be really cool...if most commercial firewalls supported it.
> Unfortunately, last I checked both Cisco and Checkpoint are incapable of
> doing this. For example, FW-1 does "virtual fragment re-assembly" which
> re-assembles fragments for inspection, and then plops them back down on
> the wire fragmented. I'm not sure what the PIX does, but I don't believe
> it can do forced re-assembly, either.
>
> The reason I bring up "commercial" is that combined, Cisco and Checkpoint
> make up 79% of the commercial FW market (according to the 2000 Infonetics
> report). I believe one (more?) of the open-source firewalling solutions
> are capable of doing forced re-assembly, but when you move into the HA
> space ipchains/iptables/ipfilters become less of an option.
>
> In short, I was bouncing this very idea (forcing frag re-assembly at the
> firewall) around in my head once and started doing research on who could
> do it....and got nowhere.
>
> Anyway, a little off topic, but perhaps useful to some....
>
> -Greg

-- 
http://jeff.wwti.com	 	(pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]