Hi!
Recently on the Networks & Telecom fair in Stockholm, Sweden,
tests were performed against multiple firewalls, of which
Watchguard Firebox II was one.
The test required that all attack recognition was to be turned off.
During the tests, data flood tests were performed against a public
FTP and SMTP service, which resulted in these crashing on the
firewall. A reboot was required to restore functionality.
A representative claimed later that this would not be an issue
with attack recognition turned on.
However, knowing the countermeasure of the Firebox:
Disabling all access from the attacker's IP for 20 minutes,
I'm not sure if that's a good solution.
I myself would not want to enable such a countermeasure, since
it is very easy to turn it into a denial of service attack.
Assume that I know that host A on the 'net wants to communicate
with host B (a public web server perhaps?) behind a firebox.
All I'd have to do to disrupt communication would be to send a
couple of christmas tree packets to host B, claiming to be from
host A, and I'd very efficiently have denied host A access to
host B for 20 minutes.
And, all I'd have to do to keep the DoS up is to send another couple
of nastygrams every 20 minutes.
Does this strike anyone else as a "not so good idea"?
Just my $.02
Regards,
Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
