RE: [fw-wiz] CERT vulnerability note VU# 539363

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• In reply to: Mikael Olsson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Next in thread: Daniel Hartmeier: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Next in thread: Paul D. Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: Daniel Hartmeier: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: R. DuFresne: "RE: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: Ofir Arkin: "RE: [fw-wiz] CERT vulnerability note VU# 539363"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In my opinion if a stateful firewall claims it can filter at rate X
(64byte packets, etc...), it should be able to filter at that rate under
all conditions.  Clearly a 100MB firewall that can be overloaded with
1MB of traffic is not good.  I'd argue that if a 100MB firewall can be
overloaded with 34MB of traffic, it's also not a good thing.  But then
again, even 100MB of filtering won't save you in a 100MB DoS which is
not all that uncommon.  

I'd like to learn some of the other methods being used for mitigation
amongst vendors.  

-- steve

-----Original Message-----
From: Mikael Olsson [mailto:mikael.olssonat_private] 
Sent: Wednesday, October 16, 2002 7:44 AM
To: Stephen Gill
Cc: firewall-wizardsat_private
Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363


Stephen Gill wrote:
> 
> Thought I'd pass this along.
> 
> http://www.kb.cert.org/vuls/id/539363

Although this is something that people need to keep in mind when 
picking / designing a firewall, I'd argue that anything north of
a stateless packet filter is going to be vulnerable to these sort
of attacks.  

If you keep state, you will be vulnerable to state table overflows. 
Period.  The only real question is: how much work does the attacker 
need to put in before it becomes painful for the networks that the 
firewall is protecting?  Is being able to resist a  1 Mbps stream 
(~4500 pps) "Not vulnerable"?  Is being able resist a 34 Mbps stream
(~150 kpps) "Not vulnerable"?  Or should every single firewall
vendor report in and say "Vulnerable", and describe what the limit is?


And, yes, ALG-only firewalls can also be overloaded. It's just a 
different type of 'state'.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"

_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Paul D. Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Previous message: Paul D. Robertson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• In reply to: Mikael Olsson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Next in thread: Daniel Hartmeier: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Next in thread: Paul D. Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: Daniel Hartmeier: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: R. DuFresne: "RE: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: Ofir Arkin: "RE: [fw-wiz] CERT vulnerability note VU# 539363"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 06:42:10 PDT