Re: Checkpoint firewall

Fri, 09 Jun 2000 18:36:55 -0700 


I am curious how the PIX handles this exploit. 

The exploit is Checkpoint reassembles fragmented packet before forwarding.
But it does not inspect the packet in any way until it has completely
built the packet... so you can keep sending multiple fragments and it
keeps reassembling, using up system resources and probably crash at one
point. Checkpoint supposedly does not check against its rule base
(conduit/statics in PIX) when it receives a fragmented packet! 

I vaguely remember that the PIX ignores the first fragment of the
entire series (if it maches the rules) and forwards everything after that.
This way irrespective of how malicious the fragment is, it never gets 
built at the host end....Can anyone confirm as to how the PIX handles
fragmented packets?

BTW: Check out
        http://www.enteract.com/~lspitz/fwtable.html

This really shows how much work need to be done on firewall code!
        - Stateful monitoring is a joke
        - No inspection on sequence nos.
        - Fragments!

Nimesh.

On Fri, 9 Jun 2000, Richard Holland wrote:

>   This is a bit off-topic, but I recall a discussion of using Checkpoint
> firewall, and thought I'd share a SANS security newsletter concerning
> checkpoint.
> 
> "It's possible to use various fragmented packets (such as those generated by
> Jolt2.c) to cause the firewall to crash or operate at 100% CPU utilization.
> Firewall rules are ineffective for defense.  More information is in this
> issue as item {00.24.025} ("Check Point FireWall-1 fragmentation DoS")."
> 
> I could forward the complete message to anybody interested.
> 
> Richard A. Holland
> CCNP,MCSE,OpenBSD
> 
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 


___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to