Doesn't CP _have_ to forward fragments?
Of course it does, which makes eitherbound inspection for long_icmp
false alarm in the following case:
An allowable ping comes in on IF0, which has MTU of say 1500, and on
its way out of IF1 (which has a smaller MTU, say 1492) any rule looking
for long_icmp will see the fragments follow bit high and take the action
specified (assuming rule 0's handling of ICMP doesn't take prescedence.)
I think FW1 will forward fragments. I think it has to.
And I think if this is wrong, one of the sharper minds on this list will
tell me.
cheers
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 23, 2000 8:07 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] IP Fragment Reassembly
>
>
> Recently Microsoft released a secuirty advisory for an announced IP
> Fragment Reassembly Vulnerability(00-029) . I've attached it to this
> email. I was looking to get feedback as to whether checkpoint firewall-1
> eliminates this flaw at the firewall level or not. The security bulletin
> specifies:
>
> Machines protected by a proxy server or a firewall that drops fragmented
> packets would not be affected by this vulnerability. The machines most
> likely to be affected by this vulnerability would be
> machines located on the edge of a network such as web servers or proxy
> servers.
>
> I've read Lance's paper on Stateful Inspection and in a test environment
> have been unable to confirm that Checkpoint drops these packets. Comments
> and suggestions as to the relative importance of this patch and whether it
> needs to be applied to machines behind a Checkpoint Firewall would be
> appreciated.
>
> The following is a Security Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from an unattended
> mailbox.
> ********************************
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Microsoft Security Bulletin (MS00-029)
> - --------------------------------------
>
> Patch Available for "IP Fragment Reassembly" Vulnerability
>
> Originally Posted: May 19, 2000
>
> Summary
> =======
> Microsoft has released a patch that eliminates a security
> vulnerability in Microsoft(r) Windows(r) 95, Windows 98, Windows
> NT(r) 4.0 and Windows 2000. The vulnerability could be used to cause
> an affected machine to temporarily stop performing useful work.
>
> Frequently asked questions regarding this vulnerability and
> the patch can be found at
> http://www.microsoft.com/technet/security/bulletin/fq00-029.asp
>
> Issue
> =====
> The affected systems contain a flaw in the code that performs IP
> fragment reassembly. If a continuous stream of fragmented IP
> datagrams with a particular malformation were sent to an affected
> machine, it could be made to devote most or all of its CPU
> availability to processing them. The data rate needed to completely
> deny service varies depending on the machine and network conditions,
> but in most cases even relatively moderate rates would suffice.
>
> The vulnerability would not allow a malicious user to compromise data
> on the machine or usurp administrative control over it. Although it
> has been reported that the attack in some cases will cause an affected
> machine to crash, affected machines in all Microsoft testing returned
> to normal service shortly after the fragments stopped arriving.
> Machines protected by a proxy server or a firewall that drops
> fragmented packets would not be affected by this vulnerability. The
> machines most likely to be affected by this vulnerability would be
> machines located on the edge of a network such as web servers or proxy
> servers.
>
> Affected Software Versions
> ==========================
> - Microsoft Windows 95
> - Microsoft Windows 98
> - Microsoft Windows NT 4.0 Workstation
> - Microsoft Windows NT 4.0 Server
> - Microsoft Windows NT 4.0 Server, Enterprise Edition
> - Microsoft Windows NT 4.0 Server, Terminal Server Edition
> - Microsoft Windows 2000 Professional
> - Microsoft Windows 2000 Server
> - Microsoft Windows 2000 Advanced Server
>
> Patch Availability
> ==================
> - Windows 95:
> http://download.microsoft.com/download/win95/update/8070/
> w95/EN-US/259728USA5.EXE
> - Windows 98:
> http://download.microsoft.com/download/win98/update/8070/
> w98/EN-US/259728USA8.EXE
> - Windows NT 4.0 Workstation, Server and Server, Enterprise
> Edition:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20829
> - Windows NT 4.0 Server, Terminal Server Edition:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20830
> - Windows 2000 Professional, Server and Advanced Server:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20827
>
> Note: Line breaks have been inserted into the URLs above for
> readability.
>
> Note: Additional security patches are available at the Microsoft
> Download Center
>
> More Information
> ================
> Please see the following references for more information related to
> this issue.
> - Frequently Asked Questions: Microsoft Security Bulletin MS00-029,
> http://www.microsoft.com/technet/security/bulletin/fq00-029.asp
> - Microsoft Knowledge Base article Q259728 discusses this issue
> and will be available soon.
> - RFC 791, Internet Protocol,
> http://www.ietf.org/rfc/rfc0791.txt?number=791
> - Microsoft TechNet Security web site,
> http://www.microsoft.com/technet/security/default.asp
>
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
>
> Acknowledgments
> ===============
> Microsoft thanks Bindview's RAZOR Security Team
> (http://www.bindview.com) for reporting this issue to us and working
> with us to protect customers.
>
> Revisions
> =========
> - May 19, 2000: Bulletin Created.
>
> - ----------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
> CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
> SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
> LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
> LIMITATION MAY NOT APPLY.
>
> Last updated May 19, 2000
>
> (c) 2000 Microsoft Corporation. All rights reserved. Terms of use.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
>
> iQEVAwUBOSXSiI0ZSRQxA/UrAQEJxQf+Mkw36xigL/G2YKxP7G4BoBgt5HFGBvsL
> koWn2E3lgP9Xy1UnG24epLLjwW7w8lwasviSYBjMA5XOU3lqhTTWOTMjh5qY5/V0
> 8cnjeQOSUQxL4NO5c4nNLHkDBRlBeWNfEiFahb5+XOakaIwpiaBbS0WqI9ojY3Nh
> fsp4MBOcjFmcI0h9Mw4yPF62FeEyYubp5CojLk8cn2gPsJrSMMvtW9CX8lhNyTrB
> DqpUNhkwgddXk4hVuAFT37WJWcTp7mgtTeTtKH67z/NzXkkOHld25vOvZPtgl1Zn
> bAkcSU0CV4Af91flq0Uxp5s40DduVl1TY9l+mHosSClVyImS0ouOrQ==
> =wC2m
> -----END PGP SIGNATURE-----
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your registration
> to the Microsoft Product Security Notification Service. You may
> unsubscribe from this e-mail notification service at any time by sending
> an e-mail to [EMAIL PROTECTED]
> The subject line and message body are not used in processing the request,
> and can be anything you like.
>
> To verify the digital signature on this bulletin, please download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>
> For more information on the Microsoft Security Notification Service
> please visit http://www.microsoft.com/technet/security/notify.asp. For
> security-related information about Microsoft products, please visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
