At 02:37 PM 5/25/00 +0200, Mikael Olsson wrote:
>All you've got to do with a filtering firewall is implement the correct
>filter (or wait for a fix) and you get the vulnerable servers back up.
Good theory, not seen to work in practice. For example, the Ping-Of-Death
bug. The first fixes for SYN flood attacks came from the proxy firewall
vendors, not packet filters.
Now there's fragment leakage attacks. What 'correct filter' rule are you
going to add to fix that?
There's an argument to be made both ways. The secure stance is to fail - if
you're under attack at your firewall, who knows what else is being
attacked? While you're concentrating on deflecting the DDOS, the cracker is
performing a slow port scan of your network and you'll never notice.
However, if you're E-Bay, you want to stay up no matter what.
This whole thing is the perfect argument for defense in depth - put two
firewalls in series using different technology - a single attack isn't
likely to hit two different implementations. (Even two Firewall-1 boxes
in series - one on Solaris, one on NT for example - fits this. Microsoft's
stack is highly unlikely to have any bugs in common with the Solaris one.)
-Rick
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
