There has been a great deal of 'controversy' concerning
how FW-1 handles IP fragmentation. I'm not a big fan of
speculation, so I decided to test it myself. Below are
the results (tested on FW-1, ver 4.1 on Solaris x86 2.7)
Some understanding of IP Fragmentation is expected. Keep
in mind that the data legnth of Frag IP packets is increased
in increments of 8 bytes (Stevens).
1. FW-1 by default drops any fragmented packet that has
a data length of 8 or 16 bytes. At a minimum, the fragmented
IP packet must have a minimum data legnth of 24 bytes. This
means 'nmap -f' scans are dropped by default by FW-1. The
log entry will be rule 0 with info "reason: TCP packet too short".
2. Fragmented packets accepted by FW-1 rulebase (minimum 24 bytes)
are forwarded in the fragmented state. Frags in, frags out.
3. Fragmented packets not accepted by the FW-1 rulebase are not
forwarded. I DO NOT know if this means reassembly happens during
the inspection phase. More testing is required.
Does this mean that Windows systems are still vulnerable, I haven't
a clue, I'm a Unix weenie :)
All testing was done with snort, hping2, and nmap (my tools of
choice).
lance
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
