OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: Re: COmpare Firewalls

Re: COmpare Firewalls

Darren Reed (darrenrreed.wattle.id.au)
Thu, 9 Sep 1999 22:16:16 +1000 (EST)

In some email I received from Dameon D. Welch, sie wrote:
>
> An application layer filter can not protect your OS against certain DOS
> attacks such as a Ping of Death. A ping of death causes problems at the
> IP stack, which an application can not effectively protect. An application
> can filter based on IP addresses, but it's more like an access list for
> the application (like TCP Wrappers) versus kernel-level packet filtering.

Is this just ignorance or what ? Well, I guess it depends on _what_ you
consider as being "protected" here. If you want to include the firewall
itself, then if it just does application proxying, sure, it may die from
the Ping of Death. But unless their product is a total piece of garbage.
whatever is behind it should be immune to the Ping of Death. (When I say
garbage, I'm implying that they must have a ICMP relay program that not
only receives a PoD without dieing but creates one itself, which I would
consider rather extraordinary for a firewall to do).

FWIW, the application proxy should be able to do filtering on things like
source routing (socket options), bad source addresses/port numbers - other
nasty packets such as those fragmented inside the TCP header aren't going
to be a worry because they need to be reassembled by the proxy firewall
and will be treated as a whole by the firewall and not resent on as those
nastygrams.

Darren

This archive was generated by hypermail 2.0b3 on Fri Sep 10 1999 - 06:04:28 CDT