Hi Misha,
The impact of PIX fragguard on your network is dependent on how much
fragmentation is normally present in your network. Generally, there should
be minimal impact, unless there is a lot of fragmentation in the traffic
across the firewall.
Otherwise, I'm not aware of any issues with the fragguard feature.
I hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 01:20 PM 11/12/1999 -0600, Misha wrote:
>I am considering enabling the fragment protection on a Pix 5.02, due to
>some odd DNS fragments we have seen in the last couple of days. Even
>though the Pix does appear to do fragment state checking, it definitely
>breaks Linux fragment, because apparently they are sent in reverse (per
>Cisco docs).
>
>Are there any other problems I am setting myself up against by enabling
>the fragment protecion? The Pix is used for a major e-commerce site, so I
>would like to know about any complications ahead of time.
>
>Misha
>
>
>
>sysopt security fragguard
>The sysopt security fragguard command enables the IP Frag Guard
>feature. This feature is disabled by default. This feature enforces two
>addition security checks in addition to the security checks recommend by
>RFC 1858 against the many IP fragment style attacks: teardrop, land, and
>so on. First, each non-initial IP fragments is required to be associated
>with an already seen valid initial IP fragments. Second, IP fragments are
>rated to 100 full IP fragmented packets per second to each internal host.
>
>The IP Frag Guard feature operates on all interfaces in the PIX Firewall
>and cannot be selectively enabled or disabled by interface.
>
>PIX Firewall uses the security fragguard command to enforce the security
>policy determined by a conduit permit or conduit deny command to permit or
>deny packets through the PIX Firewall.
>
>
>---------------------------------------------------------------------------
>-----
>Note Use of the sysopt security fragguard command breaks normal IP
>fragmentation conventions. However, not using this command exposes PIX
>Firewall to the possibility of IP fragmentation attacks. Cisco recommends
>that packet fragmentation not be permitted on the network if at all
>possible.
>---------------------------------------------------------------------------
>-----
>
>---------------------------------------------------------------------------
>-----
> Note If PIX Firewall is used as a tunnel for FDDI packets between
>routers, disable the security fragguard command feature.
>---------------------------------------------------------------------------
>-----
>
>---------------------------------------------------------------------------
>-----
> Note Because Linux sends IP fragments in reverse order, fragmented Linux
>packets will not pass through the PIX Firewall with the sysopt security
>fragguard command enabled.
>---------------------------------------------------------------------------
>-----
>
>The show sysopt command lists the sysopt commands in the
>configuration. The clear sysopt command resets the sysopt command to
>default settings. The no sysopt security fragguard command disables the IP
>Frag Guard feature.
>
>Example
>The following example disables Frag Guard and then lists the current
>command options:
>
>no sysopt security fragguard
>show sysopt
>sysopt security fragguard
>no sysopt connection tcpmss
>no sysopt connection timewait
>
>
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
