Rick Murphy wrote:
>
> At 02:37 PM 5/25/00 +0200, Mikael Olsson wrote:
> >All you've got to do with a filtering firewall is implement the correct
> >filter (or wait for a fix) and you get the vulnerable servers back up.
This thread ought to be terminated, but I just can't resist a good
argument when I see one :-)
> Good theory, not seen to work in practice. For example, the Ping-Of-Death
> bug. The first fixes for SYN flood attacks came from the proxy firewall
> vendors, not packet filters.
*ahem*. Back then, stateful packet filters were a fairly new idea
(I may even have my history wrong here, did they exist at all?)
so I wouldn't consider this a representative example. Competition
and maturity of technology have certainly improved response time
among responsible companies.
If you have a better one, please provide that instead.
> Now there's fragment leakage attacks. What 'correct filter' rule are you
> going to add to fix that?
Drop all fragments to vulnerable servers until a fix is released?
(Provided that the firewall has this configuration option; not all do.)
> There's an argument to be made both ways. The secure stance is to fail - if
> you're under attack at your firewall, who knows what else is being
> attacked? While you're concentrating on deflecting the DDOS, the cracker is
> performing a slow port scan of your network and you'll never notice.
Again, not a good example. DDoS is a problem no matter what firewall you
have.
Unless there's a firewall that willingly shuts down when more than 10
packets
per second are dropped, or something like that. (And I have yet to see
such a firewall).
Also, the same thing may be accomplished by sending a copy of Melissa
to the victim. :-P
> However, if you're E-Bay, you want to stay up no matter what.
Agreed.
> This whole thing is the perfect argument for defense in depth - put two
> firewalls in series using different technology
Definately!
This is nearly always the best solution. (I won't go as far as to
say "always" because there are always special cases. Bah.)
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
