On Mon, 8 Apr 2002, Mikael Olsson wrote: > This is definately true. (If, of course, this is what Paul was > referring to, which is not unlikely; I'm just being my usual > dim bulb self.)
These days I tend to worry more about unreachables (most of the 'connected' 'Net seems to handle larger MTUs just fine these days,) but it's definitely part of what I was talking about. Of course, this is easily "handled" by setting a low MTU link out past the firewall (I've done it on purpose before where I've blocked ICMP universally from external sources, but it's an ugly hack.) > do properly in order to avoid firewalking exposure. (Aaargh yes > I know: with a proxy you wouldn't even have to worry. &%#&�#&%) At some point, you add enough state tracking information to have a thing as complex as a stack. At that point, the benifits start to go south (worrying about size of state tables, lifetime of entries, etc.) > I need to come up with better arguments or I'm going to come out > looking a (bigger than usual) fool :) There's no chance of that, it's *good* to have debate. However, I still submit that outside of performance, the failure modes of packet filters intersect with those of proxy servers, but there are a few more for filters. I'll even give you that 95+% of admins don't have a conservative enough security policy that they make one bit of difference in most installations. For those who care though, more failure modes can be covered with proxies (and all "firewallish" ones with a combination, but that's the easy answer!) > If the PIX does this, we are apparently not unique in this capability. > (However, please note that I never claimed that we were.) > This is good though: it makes me less of a marketroid, and > gives me more ammo to use against Paul :) Now I've done gone and learned something too ;) Is it just ISNs that get randomized, or do (either product) they also track and rewrite all sequence numbers? Is it for both sides of the connection (in either case)? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
