Re: Pix crashing with ISS snmp checks

Adam Shostack (adamhomeport.org)
Thu, 4 Mar 1999 10:21:43 -0500

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Eric Budke: "Re: Pix crashing with ISS snmp checks"
• Previous message: John Nanas: "Doing some traffic logging.."
• Next in thread: Eric Budke: "Re: Pix crashing with ISS snmp checks"
• Reply: Eric Budke: "Re: Pix crashing with ISS snmp checks"
• Reply: Ted Doty: "Re: Pix crashing with ISS snmp checks"

On Wed, Mar 03, 1999 at 06:10:57PM -0500, Eric Budke wrote:
| I'm trying to track down version numbers for this, but it appears that with
| ISS 5.6.2 in the snmp check section that we successfully killed a pix
| router (the OS version is in question).
|
| Is there a habit of this happening?
| We weren't running DOS checks, and I haven't been able to try other snmp
| checks against it...client is a little hesitant until after their
| post-mortem.

        The problem here is not with ISS, but with the PIX. If I can
run an easily available tool and crash your firewall, you have a
serious problem. There are checks in every security scanner which
will crash a target unexpectedly; scanners, by their nature, work
outside the bounds that the system designers anticipated. We all try
to minimize the DOS effects, and ensure that we warn you when you hit
them, but a firewall really should be able to handle the full bore
scan without blinking. If it repeatedly can't, I urge you to get a
refund.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Next message: Eric Budke: "Re: Pix crashing with ISS snmp checks"
• Previous message: John Nanas: "Doing some traffic logging.."
• Next in thread: Eric Budke: "Re: Pix crashing with ISS snmp checks"
• Reply: Eric Budke: "Re: Pix crashing with ISS snmp checks"
• Reply: Ted Doty: "Re: Pix crashing with ISS snmp checks"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:15 CDT