On Fri, 5 Apr 2002, Mikael Olsson wrote: > > preventing sequence number attacks, fragmentation attacks etc. > > so is better than stateful inspection. > > Except of course for attacks that could "only" result in DoS, > and take down the proxy firewall with it (since they tend to > live on full-blown multi-user OS:es like Solaris, NT, etc), > rather than just "some" machines behind a stateful inspection > firewall that does not know to protect against things like this.
The firewall being down from an attack is better than the "protected" clients since the idea is that the firewall is professionally administered and the lusers aren't great at diagnosing problems. > (Although this argument is getting somewhat old now, since > stateful inspection firewalls in general catch atleast most > of these attacks, and proxy firewalls are immune to them > as long as the administrator remembers to apply the latest > OS security patches.) Ah, but the point still stands that the packet filter has to know about some frag and other bugs (like URG)- and indeed has to do things like "drop all packets with URG set" because there might be one unpatched client (after the firewall's been updated) rather than allow legitimate URG traffic after the firewall's been patched. > Can I counter some now? :) > > Please show me how to divide a corporate network, with > multiple publically accessible servers with different > security ratings, and with back-end servers accessible > from said servers, into ... oh, let's say fifty different > security zones, using any proxy firewall available today. 4 Ultra2's with 3 QFEs each (yes, the U2 is EOL, but that's how I used to build them.) Lots of PCs with Linux and open source proxies. One box with lots of proxies and per-ruleset and per-address block IP to proxy mappings. Alternately, IPSEC to the proxies. That's if you want fair seperation, otherwise, just do it in the rulebases. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
