[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    RE: tis on rh linux 6.1
From:       "Luis Fernando Barrera" <luba () assist ! com ! gt>
Date:       2000-03-22 18:20:52
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> > OK I didn't mean to get into semantics. My point was test your 
> firewall no
> > matter what type of firewall it it.
> 
> I won't disagree with you there.
> 
> > The main thing these tcp/ip stack attacks took advantage of was the fact
> that
> > OS tcp/ip stack programers were not taking into account all the possible
> > TCP/IP flags combinations. They were programming for all the reasonable
> > combinations
> > not all POSSIBLE combinations.  This flag field is only 6 bits 
> long and I
> > believe
> > most of the stack programers are covering every combination in their
> current
> > implementation. An else at the end of a case statement to handle (throw
> > away) any weird
> > combinations is all that should be required.
> 
> That's fine. But whatever the reasons were, there have been in the past
> attacks that resemble sending Packet X to Port Y to crash Operating System
> Z. That's all I was saying. I never discussed the reasons for these
> vulnerabilities, only that they have existed in the past and that 
> they could
> crop up again in the future, and a proxying only firewall will not defend
> (itself) against them (that is...the internal network would be safe).
> 
> > With the above implementation there is no reason a guarentee couldn't be
> > given.
> > The tcp/ip data structor is well known. Any programers that aren't
> > accounting for
> > all possible combinations shouldn't be programing the tcp/ip 
> stack of any
> os.
> 

Everything above is correct, no programmer should be doing systems
if he/she is not accouting for all the possible combinations... However, the programmers
are humans, so * always * will be a chance that exists a security hole.
If you are security aware, it's better not to put a door in front of your house, than
putting a door with a lot of locks, even if they're the most secure locks in the world...
Of course in that case you would't be able to  leave/enter your house, that's the tradeoff!

 
> > I happen to like linux's ipchains/packet filtering stuff and will use it
> on
> > a proxy firewall when I believe it
> > adds to the security but thats only when I don't have a GOOD 
> proxy app for
> > something that needs to pass thru the
> > proxy firewall. (example upd-relay )

The point again is that with packet filtering you have to turn on the IP
forwarding option in the firewall, which is a bad idea...right?


Sorry if my comments were a little behind the conversation... but I think
parts of it are private an others are not...


Luis Fernando Barrera
luba@assist.com.gt 

[prev in list] [next in list] [prev in thread] [next in thread]