[fw-wiz] RE: CERT vulnerability note VU# 539363

• Previous message: Stephen Gill: "[fw-wiz] RE: Re: Proverbial appliance vs software based firewall"
• Next in thread: Philip J. Koenig: "[fw-wiz] RE: CERT vulnerability note VU# 539363"
• Reply: Philip J. Koenig: "[fw-wiz] RE: CERT vulnerability note VU# 539363"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In V4.0 the syntax has changed somewhat for the aforementioned command,
though the concept still applies...

set zone <zone> screen limit-session source-ip-based <threshold>

I've requested something like 

set zone <zone> screen limit-session dest-ip-based <threshold>

but I've not seen it in code yet.  If I'm not mistaken I believe CP has
added the ability to do both recently.

-- steve

----------------

From: "Philip J. Koenig" <pjklistat_private>
Organization: The Electric Kahuna Organization
To: firewall-wizardsat_private
Date: Wed, 16 Oct 2002 11:50:41 -0700
Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363
Reply-To: pjklistat_private

> Date: Wed, 16 Oct 2002 15:53:37 +0200
> From: Daniel Hartmeier <danielat_private>
> 
> On Wed, Oct 16, 2002 at 08:20:09AM -0500, Stephen Gill wrote:
> 
> > In my opinion if a stateful firewall claims it can filter at rate X 
> > (64byte packets, etc...), it should be able to filter at that rate 
> > under all conditions.
> 
> Obviously, for any X, when each packet is part of a TCP handshake, the

> X/2 (or /3, depending on how you count) newly established connections 
> per second will exhaust memory on the firewall after a certain amount 
> of time.
> 
> I don't think you meant 'be able to filter at that rate' to include 
> 'dropping legitimate connections when running out of memory', did you?
> 
> > I'd like to learn some of the other methods being used for 
> > mitigation amongst vendors.
> 
> Yes, that's what I'd find most intersting to read in vendor statements

> myself. :)
> 
> Daniel


In addition to a syn-flood prevention thingy which at a user-
configurable threshold will start dropping X percent of new SYN 
connections, Netscreen has a feature where you can limit the number 
of sessions a particular IP address can generate, ie:

    set firewall session-threshold source-ip-based 1000


This would seem to be helpful for various things (ie code-red 
infected internal hosts), unless you're getting a random IP-address-
spoofed incoming DoS.

--
Philip J. Koenig                                       
pjklistat_private
Electric Kahuna Systems -- Computers & Communications for the New 
Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Philip J. Koenig: "[fw-wiz] RE: CERT vulnerability note VU# 539363"
• Previous message: Stephen Gill: "[fw-wiz] RE: Re: Proverbial appliance vs software based firewall"
• Next in thread: Philip J. Koenig: "[fw-wiz] RE: CERT vulnerability note VU# 539363"
• Reply: Philip J. Koenig: "[fw-wiz] RE: CERT vulnerability note VU# 539363"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 15:07:02 PDT