"Paul D. Robertson" wrote:
>
> [some very interesting points, even though less than 1% of
> the firewall admins today actually care about it :/ ]
We're getting into deep enough specifics that I realize I can't
counter this using general arguments. This would mean I'd have to
resort to discussing our stuff (which obviously I know best), but:
1. That sort of voids the topic
2. It isn't nearly as fun :)
3. I've already posted more clavister-specific stuff to this
(general-purpose) list than I'm comfortable doing :/
(unless specifically asked to do so, of course)
IOW: "Here, have a freebie point or two" :)
> [on (pseudo) fragment reassembly]
> The issue becomes how much checking is someone doing with frags-
> as it becomes a pretty plausible DoS attack to send pseudo-initial
> frags in some instances
If you're refering to simply filling up the available reassembly
slots, that will DoS fragment reassembly on a proxy equally well.
An SPF on the other hand, given that it can make the assumption that
it can eat more kernel RAM in its in-kernel hooks (or doesn't even
have a thing called "kernel RAM". hehe :)), and that it knows that
it has to protect thousands of internal hosts, would potentially be
better at this than a general-purpose IP stack designed for local
reassembly only.
No points to you for that one. Maybe half a point to me :)
(Although I guess the key word there is "potentially", generally
speaking. I'm almost starting to see your point, given the
"general" state of affairs. &%@#�&#@&)
> On Wed, 10 Apr 2002, Mikael Olsson wrote:
> > And here's one more for proxies: most (all?) proxy firewalls ride
> > on top of full-fledged OSes, and when the proxy dies, it tends
> > to leave to OS somewhat unshielded :)
>
> Unshielded how? If the proxy code is all that's bound to sockets,
> the exposure window isn't all that horrific is it?
Just a point of interest:
Isn't it fairly common for (commercial) proxy firewalls to apply
packet filtering on traffic to the firewall itself?
(At least stuff like the "kill raptor boxes by sending IP options
with 0 length" bug from a couple of years ago has led me to think so.
I could be wrong.)
> > OTOH, the same is true for at least the majority of the SPFs. %&#%�.
>
> Darnit! No fair taking my points! ;)
Suddenly turning around and taking the opposite view of one's
usual view is a great brain exercise, I've been told.
... and done in the middle of an entertaining argument, it also
tends to drive people nuts :)
Now, you either need to stop dropping points that we (I? ;)) haven't
finished arguing, or tell me where to pick up my cigar :)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
