[prev in list] [next in list] [prev in thread] [next in thread]
List: fwtk-users
Subject: RE: tis on rh linux 6.1
From: "Luis Fernando Barrera" <luba () assist ! com ! gt>
Date: 2000-03-22 18:20:52
[Download RAW message or body]
[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]
> > OK I didn't mean to get into semantics. My point was test your
> firewall no
> > matter what type of firewall it it.
>
> I won't disagree with you there.
>
> > The main thing these tcp/ip stack attacks took advantage of was the fact
> that
> > OS tcp/ip stack programers were not taking into account all the possible
> > TCP/IP flags combinations. They were programming for all the reasonable
> > combinations
> > not all POSSIBLE combinations. This flag field is only 6 bits
> long and I
> > believe
> > most of the stack programers are covering every combination in their
> current
> > implementation. An else at the end of a case statement to handle (throw
> > away) any weird
> > combinations is all that should be required.
>
> That's fine. But whatever the reasons were, there have been in the past
> attacks that resemble sending Packet X to Port Y to crash Operating System
> Z. That's all I was saying. I never discussed the reasons for these
> vulnerabilities, only that they have existed in the past and that
> they could
> crop up again in the future, and a proxying only firewall will not defend
> (itself) against them (that is...the internal network would be safe).
>
> > With the above implementation there is no reason a guarentee couldn't be
> > given.
> > The tcp/ip data structor is well known. Any programers that aren't
> > accounting for
> > all possible combinations shouldn't be programing the tcp/ip
> stack of any
> os.
>
Everything above is correct, no programmer should be doing systems
if he/she is not accouting for all the possible combinations... However, the programmers
are humans, so * always * will be a chance that exists a security hole.
If you are security aware, it's better not to put a door in front of your house, than
putting a door with a lot of locks, even if they're the most secure locks in the world...
Of course in that case you would't be able to leave/enter your house, that's the tradeoff!
> > I happen to like linux's ipchains/packet filtering stuff and will use it
> on
> > a proxy firewall when I believe it
> > adds to the security but thats only when I don't have a GOOD
> proxy app for
> > something that needs to pass thru the
> > proxy firewall. (example upd-relay )
The point again is that with packet filtering you have to turn on the IP
forwarding option in the firewall, which is a bad idea...right?
Sorry if my comments were a little behind the conversation... but I think
parts of it are private an others are not...
Luis Fernando Barrera
luba@assist.com.gt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic