Re: Firewall comparison in Data Communications

Ge' Weijers (geprogressive-systems.com)
Thu, 3 Jun 1999 11:39:21 -0400

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Butler, Gary: "Black Box Ethertester"
• Previous message: Bill_Roydspch.gc.ca: "Re: SMTP relay tests"
• Maybe in reply to: pmsac: "SMTP relay tests"

On Thu, Jun 03, 1999 at 07:44:58AM -0400, Steven M. Bellovin wrote:
> Right. More fundamentally, firewalls can't protect you against bugs at
> a higher level of the protocol stack. An IP+port number firewall (i.e.,
> a typical packet filter) is blind to TCP holes. For that matter, it's
> blind to attacks based on other portions of the IP packet that it doesn't
> look at -- 'ping of death' comes to mind.

Even dynamic packet filters (marketing-speak: Multi-Layer Stateful
Inspection firewalls) only have limited value here. Most of them don't
match 'host/network unreachable' ICMP messages to actual connection
attempts. Not that this _can't_ be done correctly, the overhead is
just considered too high. And there's your hole to get a variant of
ping of death through.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

• Next message: Butler, Gary: "Black Box Ethertester"
• Previous message: Bill_Roydspch.gc.ca: "Re: SMTP relay tests"
• Maybe in reply to: pmsac: "SMTP relay tests"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT