Rick Murphy wrote:
>
> At 02:37 PM 5/25/00 +0200, Mikael Olsson wrote:
> >All you've got to do with a filtering firewall is implement the correct
> >filter (or wait for a fix) and you get the vulnerable servers back up.
>
> Good theory, not seen to work in practice. For example, the Ping-Of-Death
> bug. The first fixes for SYN flood attacks came from the proxy firewall
> vendors, not packet filters.
> Now there's fragment leakage attacks. What 'correct filter' rule are you
> going to add to fix that?
Yup. As Lance's experiments with FW-1 point out, current stateful
filtering firewalls still make forwarding decisions based on the current
packet and state saved from previous packets. Fragment and TCP stream
reassembly are not performed. Sometimes the best decision can only be
made by buffering the current packet and deferring the forwarding until
additional packets are received, analyzed, reassembled, etc.
Unfortunately that would introduce latency that stateful filtering
vendors are trying to avoid.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
