|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall comparison in Data Communications
dnewman
cmp.com
Thu, 3 Jun 1999 11:45:24 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Previous message: Michael H. Warfield: "Re: Anybody have a clue why..."
- In reply to: Will Kempf: "Anybody have a clue why..."
- Next in thread: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Reply: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Reply: Kevin Steves: "Re: Firewall comparison in Data Communications"
Most SPF products (including all those in the Data Comm) has specific anti-ping
o' death routines. True, this usually isn't part of the SPF itself. But there
are safeguards in place against common attacks like IP spoofing, SYN flooding,
ping of death, and the like.
In the case of the ping of death, I presume these routines drop ICMP packets
with a length greater than 64 kbytes. I'm curious to hear--what variant of the
ping of death would be allowed through?
dn
"Ge' Weijers" <geprogressive-systems.com> on 06/03/99 11:39:21 AM
To: "Steven M. Bellovin" <smbresearch.att.com>
cc: Robert Graham <robert_david_grahamyahoo.com>, Matt Curtin
<cmcurtininterhack.net>, David Newman <dnewmandata.com>,
firewall-wizardsnfr.net, firewallslists.gnac.net
bcc: David Newman/NYC/CMPNotes
Subject: Re: Firewall comparison in Data Communications
On Thu, Jun 03, 1999 at 07:44:58AM -0400, Steven M. Bellovin wrote:
> Right. More fundamentally, firewalls can't protect you against bugs at
> a higher level of the protocol stack. An IP+port number firewall (i.e.,
> a typical packet filter) is blind to TCP holes. For that matter, it's
> blind to attacks based on other portions of the IP packet that it doesn't
> look at -- 'ping of death' comes to mind.
Even dynamic packet filters (marketing-speak: Multi-Layer Stateful
Inspection firewalls) only have limited value here. Most of them don't
match 'host/network unreachable' ICMP messages to actual connection
attempts. Not that this _can't_ be done correctly, the overhead is
just considered too high. And there's your hole to get a variant of
ping of death through.
Ge'
-- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
- Next message: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Previous message: Michael H. Warfield: "Re: Anybody have a clue why..."
- In reply to: Will Kempf: "Anybody have a clue why..."
- Next in thread: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Reply: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Reply: Kevin Steves: "Re: Firewall comparison in Data Communications"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT