Yikes! That earned me more than just a couple of almost-flames.
(OK, not all were flames)
I'll try to sum up my responses here.
Filip Jonckers wrote:
> >
> > Recently on the Networks & Telecom fair in Stockholm, Sweden,
> > tests were performed against multiple firewalls, of which
> > Watchguard Firebox II was one.
> >
>
> Are the results documented somewhere ?
> URL, docs, ... ???
They were displayed publicly on a summary on the fair; apparently
this doesn't help most of you guys a whole lot since it's a more than
just a little out of your way to have been to.
I asked to have the results sent to me (powerpoint file) but they
haven't arrived just yet :-(
The fair was on during the 14th--16th of September.
Sam James wrote:
>
> Recently? How recently? There was a DoS against the firebox from
> approximatly 1 year ago involving the nestea attack, which has long since
> been patched.
This was not a nestea attack, and it was just two weeks ago.
> Data flood? what kind of data, your post is very short on facts.
Sorry for that. I should have gone more in-depth i suppose.
The reason I kept it so simple is that the attack is very simple.
They just connected to port 21 and 25, logged on in the case of port 21,
and then started pumping large amounts of random ASCII characters
into the pipe. Nothing spooky about packet construction of sequence
numbers or anything, just "lots of ASCII data" in the TCP stream.
> I doubt this is the companys offical stance on the issue, if there is one.
Hmmm. It shows I'm not a native English speaker. "Representative"
may be misleading. I think this was a guy from the Swedish
distributor for Firebox.
> Having a server on the internet could very easily turn into a denial of
> service attack.
> Host B is your server, Host B smurfs host A. Your service is denied.
Looks like I stepped on someone's toe here.
With that reasoning, there's no reason for us to have this list, let
alone
firewalls at all.
By the way, there IS actually a way to protect against being the victim
of smurf attacks, contrary to what many believe. You place a load
balancer
on the ISP end of your connection, and only the most extremely powerful
smurf amplifiers (or ping -f flooders for that matter) would do any real
damage (they'd have to overload your ISP's connection to the backbone).
> > Does this strike anyone else as a "not so good idea"?
> Depends if your more worried about DoS than compromise.
The unusual thing about this DoS is that you can make it be very
selective.
That quality makes it harder to detect, rather than
"Yikes! our Internet pipe is full! Let's call our ISP and find out
who's doing it!" or "Yikes! Our web server just went belly-up!
Reboot it!"
Granted, you will get log entries proving that the host you want
to DoS is getting locked out.
> I think your $.02 is worth about that much, your baseing your opinion
> on some display you saw at a computer fair. As far as you know the
> people were useing a unpatched version of the firebox just so it
> would crash.
Sorry 'bout your toe, man.
The people doing the test were a company called Niemann&Munkedal. I
don't
know if you've heard about them, but they're a competent bunch (ask ISS
and ICSA).
They did answer all of my questions in great detail, so I wouldn't call
it "some display".
They however were NOT the ones supplying the firewalls, this was up to
the the vendor or distributor of each firewall. I somehow doubt that
any of these would use a bad version in a test like this.
(As I pointed out earlier, in the Firebox case, it was the distributor
rather than the vendor)
[Someone that posted to me directly and not to the list] wrote:
>
> Watchguard has had this same practice enabled on thier fireboxes
> for a while now with no undo harm.
That may be true, but would you accept for instance a webserver
going for a coffee break for 20 minutes every time the
URL "coffee.htm" was requested, or would you ask the vendor to
do something about it?
Just becuse a something hasn't been exploited (much) yet doesn't mean
people
won't start exploiting it (more).
Also, it just struck me that one could maybe deny users behind
a Firebox access to a specific site using the same technique.
(Not sure abuot this one though, this would depend on how
Watchguard implemented the blocker; per packet or per session
originator)
Hmm.. This is starting to sound like I'm out to slander
Watchguard. I'm not. I'm really just talking about (the value of)
a specific protection technique.
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
