Re: Cisco PIX bug, discussions (lenghty)

Euan (euanaccess.org.uk)
Wed, 26 Aug 1998 09:02:17 +0100

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Wood, Tom D: "Executives liable for computer crime? (update)"
• Previous message: Paul M. Cardon: "Re: password aging"
• In reply to: H. Morrow Long: "Re: password aging"
• Next in thread: Robert Stahlbrand: "Re: Cisco PIX bug, discussions (lenghty)"
• Reply: Robert Stahlbrand: "Re: Cisco PIX bug, discussions (lenghty)"
• Reply: Aleph One: "Re: Cisco PIX bug, discussions (lenghty)"

>>Now, having said this, we can start the war between application
>>gateway firewalls (which often rely on host TCP/IP stack for
>>defragmentation) and `stateful inspection' firewalls (which must
>>defragment).
>
>No war neccessary... SPF/SMLI/SI firewalls need to defrag
>to operate properly. None of the ones on the market (so
>far as I know) do so currently. All AGs do, by their nature.
>As far as frags go, AGs win.
>
Firewall-1 v3.0 manual, p350:

"Firewall-1 performs virtual packet reassembly, and does not send a packet
until all it's fragments have been collected. The algorithm used is
stricter than the standard packet reassembly algorithm, and does not permit
overlays".

So it would appear that at least one SMLI firewall on the market does
defrag. Of course this takes us back to the DoS attacks hinted at
previously...

-Euan.

• Next message: Wood, Tom D: "Executives liable for computer crime? (update)"
• Previous message: Paul M. Cardon: "Re: password aging"
• In reply to: H. Morrow Long: "Re: password aging"
• Next in thread: Robert Stahlbrand: "Re: Cisco PIX bug, discussions (lenghty)"
• Reply: Robert Stahlbrand: "Re: Cisco PIX bug, discussions (lenghty)"
• Reply: Aleph One: "Re: Cisco PIX bug, discussions (lenghty)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:40 CDT