OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Cisco PIX bug, discussions (lenghty)

Re: Cisco PIX bug, discussions (lenghty)


Euan (euanaccess.org.uk)
Wed, 26 Aug 1998 09:02:17 +0100


>>Now, having said this, we can start the war between application
>>gateway firewalls (which often rely on host TCP/IP stack for
>>defragmentation) and `stateful inspection' firewalls (which must
>>defragment).
>
>No war neccessary... SPF/SMLI/SI firewalls need to defrag
>to operate properly. None of the ones on the market (so
>far as I know) do so currently. All AGs do, by their nature.
>As far as frags go, AGs win.
>
Firewall-1 v3.0 manual, p350:

"Firewall-1 performs virtual packet reassembly, and does not send a packet
until all it's fragments have been collected. The algorithm used is
stricter than the standard packet reassembly algorithm, and does not permit
overlays".

So it would appear that at least one SMLI firewall on the market does
defrag. Of course this takes us back to the DoS attacks hinted at
previously...

-Euan.



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:40 CDT