Please let me know how PIX handles this exploit.I would be interested
becuase we are planning to install Checkpoint FW 1.0 .I understand
Checkpoint has given a solution using Inpsect.
But are there other alternatives.
Using PIX and cisco
Regards
Kavita
>From: Nimesh Vakharia <[EMAIL PROTECTED]>
>Reply-To: Nimesh Vakharia <[EMAIL PROTECTED]>
>To: Richard Holland <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: Re: Checkpoint firewall
>Date: Fri, 9 Jun 2000 20:01:23 -0400 (EDT)
>
>
>I am curious how the PIX handles this exploit.
>
>The exploit is Checkpoint reassembles fragmented packet before forwarding.
>But it does not inspect the packet in any way until it has completely
>built the packet... so you can keep sending multiple fragments and it
>keeps reassembling, using up system resources and probably crash at one
>point. Checkpoint supposedly does not check against its rule base
>(conduit/statics in PIX) when it receives a fragmented packet!
>
>I vaguely remember that the PIX ignores the first fragment of the
>entire series (if it maches the rules) and forwards everything after that.
>This way irrespective of how malicious the fragment is, it never gets
>built at the host end....Can anyone confirm as to how the PIX handles
>fragmented packets?
>
>BTW: Check out
> http://www.enteract.com/~lspitz/fwtable.html
>
>This really shows how much work need to be done on firewall code!
> - Stateful monitoring is a joke
> - No inspection on sequence nos.
> - Fragments!
>
>Nimesh.
>
>On Fri, 9 Jun 2000, Richard Holland wrote:
>
> > This is a bit off-topic, but I recall a discussion of using Checkpoint
> > firewall, and thought I'd share a SANS security newsletter concerning
> > checkpoint.
> >
> > "It's possible to use various fragmented packets (such as those
>generated by
> > Jolt2.c) to cause the firewall to crash or operate at 100% CPU
>utilization.
> > Firewall rules are ineffective for defense. More information is in this
> > issue as item {00.24.025} ("Check Point FireWall-1 fragmentation DoS")."
> >
> > I could forward the complete message to anybody interested.
> >
> > Richard A. Holland
> > CCNP,MCSE,OpenBSD
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
