Paul Robertson wrote:
>
> ICMP unreachables to the external interface is much less
> dangerous than to every client.
Hm. I must be missing something here. I don't think of inbound
ICMP errors as being very harmful. (Given that they've
been structurally verified and so on.)
Inbound unreachables do have the potential of cutting connections
a bit more uncontrollably than TCP RSTs, but the same is true
even if the proxy firewall originated its own outbound connection.
Outbound ICMP errors on the other hand is a different story, of course.
(Firewalk & co).
> Old, but still probably a default block in mainstream commercial products.
> It's illustrative of the transport layer issues surrounding many clients
> versus one client.
This is true. We do strip the URG flag by default for this reason.
I agree with "probably a default block" too, although I don't really
have the hard data to back it up.
> > > 4. Fragment overlap attacks and attempts aren't handled inconsistantly by
> > > different "protected" machines since they're all handled by the proxy.
> >
> > Don't most of the "recognized" SPF vendors (pseudo-)reassemble and
> > reorder properly by now?
>
> Reordering "properly" is OS dependent. That's why multiple overlapping
> frags are "interesting" IDS attacks.
Yeah, if you allow overlapping frags, "properly" is hard (impossible?)
to define. We don't allow overlaps. (I'd very much like to learn what
others are doing though. Lance's writeup on FW-1 and fragmentation
didn't exactly leave me reassured :/ )
> The failure modes of packet filters intersect with those of proxy
> servers, but there are a few more for filters
That may be, but then we get back to my point of "needing to know
more may also be a Good Thing(tm)", which you left dangling with
that "perhaps" :)
And here's one more for proxies: most (all?) proxy firewalls ride
on top of full-fledged OSes, and when the proxy dies, it tends
to leave to OS somewhat unshielded :)
OTOH, the same is true for at least the majority of the SPFs. %&#%�.
ObFsckups: It was very amusing to see what happened to an FW-1 box
(delivered and configured by checkpoint; the default solaris inetd.conf
left untouched) when the FW-1 license file decided to go invalid. Ouch.
/Mike
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
Ynlre 8 frphevgl fbyhgvbaf: uggc://yneg.onqs00q.bet
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
