"Paul D. Robertson" wrote:
>
> [on reassembly DoS]
> I wonder if it's really better under 2k+patches, or if the
> threading is just better?
It isn't a total system DoS. It just DoSes fragment reassembly.
The CPU load of the target system won't even increase a single
percent.
(This isn't jolt2 I'm talking about. 300bps isn't enough to
make jolt2 work. You need about 14.4Kbps for jolt2 to kill
the IP stack and five times that to freeze the system.)
> Ah, but since in my case, the software wasn't proxy software, it
> doesn't count as part of the architecture, where as in your case
> it does! :)
The barbiesoft URL filter wasn't a proxy? *boggle* :)
> [on invalidating the topic]
> WE wouldn't, but I'd guess that maybe 15,000 others might just
> vote for that option ;)
Ummm.. I refuse to understand what you're talking about :)
> > in these layers, there is no "real" difference in the
> > protection that a proxy firewall affords compared to an SPF. [3]
>
> The proxy is the only client that needs patching in client-side issues,
> and the only place that needs content filtering in content issues. *Some*
> content issues can be negated with an SPF, but not all and certainly the
> range of client issues that can be fixed is significantly less.
I was talking about L3 and L4 only in this paragraph.
And even when/if a problem is found in L3/L4 filtering/logic
on an SPF, the SPF is the only box that needs to be patched.
> > I think we all agree that segmentation is a good thing.
> > Segmentation is hard (maybe too hard) to accomplish when:
> > - your proxy won't forward necessary protocols.
>
> If we assume circuit-level relays (a la' plug-gw, then that goes away,
> without them, we could always assume a stronger deny stance ;) ))
See next point.
> > - And let's not forget routing problems. How many proxies support
> > lifting a host out from its LAN and placing it behind another
> > interface, without restructuring your IP plan - heck, without even
> > touching the IP config of a single host?!
> > (Yes, I assume that you've already got boxes scattered across
> > your available IP range; not that you have several ready-made
> > subnets sitting around just in case you need to create another
> > segment some day. I know no admin that has. :))
>
> We had spare _routable_ space reserved at the last company I was
> at, but I'm puzzled as to why you think a host route doesn't work on a
> proxy server?
Assume two boxes want to speak NetBIOS to eachother. (Yes, I know,
horrid. Let's assume that the server is a very stripped-down samba.)
Assume box 1 behind if1 has IP 1.2.3.9, and wants to communicate
with hosts behind if2 with IPs 1.2.3.1--254 (sans .9 of course).
Tell me how a host route on _an available proxy firewall package_
solves this.
Yes, I know, you can always get more routable space. Or rearrange
your IP allocations. But I've seen enough cases where people
DON'T segment their servers as much as they'd really like, just
because firewall boxes with rigid subnetting rules and poor
segmentation support functions puts the effort bar too high.
> > - And.. important.. speed. When you segment dozens of servers, they
> > very often still need to be able to talk to each other at high
> > speeds. (Think web server -> backend DB. Think backups.)
>
> Speed is the only point I'll readily concede.
Hey. I just thought of another one:
- For many protocols, a thorough ALG is a very complex beast. Enough
so that at least _I_ don't want to trust it to be immune to
exploits that give you (partial) control of the machine it is
running on.
(Very good case in point: a content and virus scanning HTTP proxy.)
If I center my firewalling environment around an SPF with good
segmentation support functions, I can (easily) put such a box on a
separate segment and only allow required communication to and
from that box. With the (not poorly written) SPF sitting on
a separate box, I can be reasonably assured that said proxy box
won't gain control over the entire packet flow, or be able to
connect anywhere it damn pleases.
> > [on the protection that internal boxes need]
> > 2) Analyzed on the application layer.
> > I believe that this is best done by specialized relays/proxies
> > (NOT! a proxy firewall with everything from a single vendor or
> > organization!).
>
> A proxy firewall doesn't have to be a single box, and a single box doesn't
> have to run everything from the vendor. For instance, ever since I
> started using Postfix in production (2nd Alpha version), for instance,
> I've ripped out the native SMTP proxy and replaced it with Postfix
I still think that you're talking about the same thing as I. :)
> you can't mix and match pieces of an SPF on a per-protocol basis.
I believe this is a good quality in SPFs. I want my "traffic control
filtering box" to be compact enough that I can assume that it does
what it is told and nothing else. If equipped with login shells,
multiuser environment, compilers, etc etc etc, that you'd need for
installing postfix on it, this is no longer true. Not by a long shot.
> Sure, and my firewall implementations always include some sort of
> packet filter (preferably with state)- generally IPFilter/NetBSD
See? :)
> [0] Really, check again[2]!
> [2] There was no [0].
*bzzt* brain stalled.. *bzzt* infinite loop.. *bzzkktt* *boom*
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
