On Wed, 14 Jun 2000, Chambers, Steven wrote: > Surely Realsecure can detect the attack and reconfigure the Fw using opsec. > > That's what we plan do to. Steven, I hope you don't mind, but I have taken the liberty of replying to both you and the FW-1 list group. There are two major flaws in your plan to protect against Jolt2 and other fragment attacks. I wanted to share this so we could all learn from some common misconceptions. 1. The Firewall rulebase CANNOT protect against illegal or incomplete fragments. Even if your Firewall rulebase deny's everything, you are still vulnerable to the attack. I highly recommend you implement CheckPoint's short term solution to the attack. Both an explanation and a solution of the attack can be found at http://www.enteract.com/~lspitz/fwtable.html 2. I truly believe that RealSecure 'auto reconfigure' feature is an EXTREMELY dangerous idea. It looks great in marketing, but is highly dangerous to the network. By autoconfiguration, you are now allowing the bad guys to reconfigure your firewall rulebase. For example, lets say that you setup RealSecure to automatically block any sending fragments attacks against you. If you do this, I can easily bring down your entire network. nmap -v -f -D <13 root servers> <your firewall> ReasSecure detects a fragattack/scan from the 13 DNS root servers and now blocks them. You now have no DNS resolution to the Internet. This is just merely an example to demonstrate the vulnerabilities this 'feature' provides. Hope this helps. lance ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
