Re: How stateful is stateful inspection?

[David Lang <dlang () diginsite com>]

-----BEGIN PGP SIGNED MESSAGE-----

Having just gone through an evaluation of firewall-1 I would like to point
out that they reccomend NOT to turn on the optional defragmentation
capibility for performance/memory reasons.

David Lang

On Wed, 14 Jul 1999, Sean Costello wrote:

> Lance,
>
> the only attacks I'm currently aware of using mangeled 
> seq & ack #'s in the packet also heavily relies on an OS's
> inability to deal with packet fragmentation (la tierra I 
> think...? something like that...).
>
> FW1 inherently will not route a fragmented packet 
> before it has been fully reassembled.  This is known as 
> the fragmentation engine and provides inherent 
> protection against things like the PING of death and so 
> on.  
>
> In summary it eliminates any one of many exploitations
> of various vendors poorly desisigned reassembly 
> mechanisms.


"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy." 
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBN4y24z7msCGEppcbAQG7ZAf6Av5cV7VZ51+VQkHfjO34DmyOdXmGm48P
jBeSpQIDP0ZhyHHQYklHHM0cu2eURBdljWE3a+kzD30U+baZoPfWOP+kokKQijZg
tp0PZH4chiKNJHnZM4v7WijB1yw1Q396aMIvYSzPAblRghjDxE1140mwHpfS+SOt
BA5D9MQXHcW92u38nfOtKA72ON0FSR+gXfSWZcUZMLxh7JH1DNez02nVyh1QMhKd
YDavzItg8/r/SnC1eyBx7vfM/8UC7Wyyd+GsriCLpVaosFYmIS3u3qkc1PS1P9oI
nK8PiQBliGQZZEEMWTeUaLfhlNzujSeushI/p/oOLjrW56CQYx1A0g==
=b0SF
-----END PGP SIGNATURE-----