On Wed, 2 Aug 2000, Dug Song wrote:
> Cisco PIX had similar holes in their FTP proxy, only much worse - as
> reported by monti on BUGTRAQ, ftp-ozone allowed you to open ANY port:
>
> http://www.cisco.com/warp/public/707/pixftp-pub.shtml
>
> likewise, the FTP proxies in IP filter and ip_masq had problems as well:
>
> http://false.net/ipfilter/2000_03/0248.html
> http://www.uwsg.iu.edu/hypermail/linux/kernel/0003.2/1171.html
Thanks, I'd missed these completely.
> exploits we developed were Firewall-1 specific, this isn't to say that
> some of the same techniques we used couldn't be leveraged against other
> firewalls successfully - we just didn't try.
With over 100 products out there, I don't doubt that there are- but I
think "might be" is fairer than "are" until someone does it.
> wrt denial of service - it goes without saying that a stateful inspection
> firewall can be locked up with a simple state holding attack, such as
> Lance Spitzner's frag flood, or something more evil:
Not just stateful firewalls have trouble with frag floods- some vendors'
OS still have trouble too. In that case, ALG's on those systems will fall
over or stop passing traffic.
> but denial of service attacks are really pretty useless when the target
> system fails closed. network IDSs are a better target for this sort of
> thing, as they fail completely open, and usually with much less effort.
They're not useless if you're trying to prevent publication to a Web
server, updates via VPN, or delay a specific transaction that you have
knowledge of and want to delay past a deadline. People are using PIX and
FW1 at colo facilities to protect commerce sites- anti-spoofing protection
does nothing for you in that situation unless you have an out-of-band
connection...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
