Date: Thu, 17 Oct 2002 04:52:33 -0700 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Mike Hoskins <mike@adept.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT VU#539363 Message-ID: <20021017115233.GA10789@HAL9000.homeunix.com> In-Reply-To: <20021017003422.V5273-100000@fubar.adept.org> References: <20021017004315.GA8951@HAL9000.homeunix.com> <20021017003422.V5273-100000@fubar.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Mike Hoskins <mike@adept.org>:
> > I believe that's the idea. IPFW doesn't do this; it simply stops
> > creating new dynamic rules when the table is full. I think
> > there's lots of room for DOS resistance here; you could imagine
> > separate per-rule or per-source quotas on dynamic rules, for
> > example.
>
> I noticed a lot of big names haven't replied (Cisco). I'd like to know
> how the PIX' "adaptive security" algorithms handle this - a first clue
> will be seeing their response.
>
> > If you turn off statefulness, you lose some expressiveness, and
> > you may consequently allow or restrict more than you intended to.
>
> Indeed, I never intended to suggest configuring a "static" firewall as a
> valid option for most stateful installations. I believe that was an
> intended reccomendation from CERT, however, in their typically vague and
> overly broad manner. ;)
I just read the latter advisory you referred to. It appears to be
based on the paper by Stephen Gill that it cites, and the author
of the advisory doesn't seem to realize that the described
vulnerabilities aren't new or recently discovered. The general
problem with maintaining state is well-known, and the specific
attack of desynchronizing the connection state between an internal
host and the firewall is described in [1], along with several
variants. That said, I still find the problem of intelligently
managing firewall state very interesting.
(By the way, the Gill paper cited at the bottom of the advisory
mentions PIX. You mentioned you were interested in that, so you
might want to take a look.)
[1] Paxson, V. Bro: A System for Detecting Network Intruders in
Real-Time. Berkeley, 1999. ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021017115233.GA10789>