Ben Nagy wrote:
> Mikael Olsson wrote:
> > I hope you realize that it looks like you're describing FW-1 here.
> Which is why I prepended the whole thing with "I don't know jack about
> FW-1". C'mon, Mike. Sheesh.
Yeah, but it looked like you knew what you were saying, and I was afraid
that it'd lead all our newbies astray :)
> I have a hard time believing, for example, that if you send an outgoing FTP
> PORT command, fragmented, that FW-1 will not reassemble it to find out what
> hole to whack in the state table. If it is stupid enough not to care about
> inbound command inspection then that's FW-1's problem.
Fragmented? Yeah, that will probably be reassembled.
Split into separate TCP segments? Nyah, nyah, nyah. Good luck :)
Why do you think the FTP data channel fun we had worked at all, with
FTP commands mutilated as bad as the browser made them? :)
Anyhow, my point wasn't getting the firewall to parse PORT commands.
It was that you could shoot commands through the firewall that are
supposed to be blocked (like ETRN in SMTP, SITE in FTP, et al).
Classic IDS evasion techniques that also work against dumb application
layer inspection code that cakes too many shortcuts.
> The "security servers" are the userspace inspection module thingies, aren't
> they?
Well, yes, as far as I know. I haven't _used_ FW-1, only spotted
vulnerabilities in it :)
> If that's the case then are you suggesting that FW-1 breaks the data
> out to proxy applications for inspection in a manner _different_ to
> the one I described? ;)
I wouldn't know. I do however know that most people seem to NOT use
the security servers for some reason. This is where I'm coming
from.
> > Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> > Obviously having a "grumpy" day
Hehe :)
I had just spent an hour or so bitching on the itrace list.
The other WG members just don't want to see things my way :P
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
