I am considering enabling the fragment protection on a Pix 5.02, due to
some odd DNS fragments we have seen in the last couple of days. Even
though the Pix does appear to do fragment state checking, it definitely
breaks Linux fragment, because apparently they are sent in reverse (per
Cisco docs).
Are there any other problems I am setting myself up against by enabling
the fragment protecion? The Pix is used for a major e-commerce site, so I
would like to know about any complications ahead of time.
Misha
sysopt security fragguard
The sysopt security fragguard command enables the IP Frag Guard
feature. This feature is disabled by default. This feature enforces two
addition security checks in addition to the security checks recommend by
RFC 1858 against the many IP fragment style attacks: teardrop, land, and
so on. First, each non-initial IP fragments is required to be associated
with an already seen valid initial IP fragments. Second, IP fragments are
rated to 100 full IP fragmented packets per second to each internal host.
The IP Frag Guard feature operates on all interfaces in the PIX Firewall
and cannot be selectively enabled or disabled by interface.
PIX Firewall uses the security fragguard command to enforce the security
policy determined by a conduit permit or conduit deny command to permit or
deny packets through the PIX Firewall.
--------------------------------------------------------------------------------
Note Use of the sysopt security fragguard command breaks normal IP
fragmentation conventions. However, not using this command exposes PIX
Firewall to the possibility of IP fragmentation attacks. Cisco recommends
that packet fragmentation not be permitted on the network if at all
possible.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Note If PIX Firewall is used as a tunnel for FDDI packets between
routers, disable the security fragguard command feature.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Note Because Linux sends IP fragments in reverse order, fragmented Linux
packets will not pass through the PIX Firewall with the sysopt security
fragguard command enabled.
--------------------------------------------------------------------------------
The show sysopt command lists the sysopt commands in the
configuration. The clear sysopt command resets the sysopt command to
default settings. The no sysopt security fragguard command disables the IP
Frag Guard feature.
Example
The following example disables Frag Guard and then lists the current
command options:
no sysopt security fragguard
show sysopt
sysopt security fragguard
no sysopt connection tcpmss
no sysopt connection timewait
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
