RE: [fw-wiz] CERT vulnerability note VU# 539363

From: Ofir Arkin (ofir@sys-security.com)
Date: 10/16/02


From: "Ofir Arkin" <ofir@sys-security.com>
To: "'Stephen Gill'" <gillsr@yahoo.com>, "'Mikael Olsson'" <mikael.olsson@clavister.com>
Date: Wed Oct 16 09:53:49 2002

Interesting that CERT found time to publish this kind of advisory...

Interesting that for other, more damaging, vulnerabilities they don't
have time or either drag it forever sending information to only a
handful of selected vendors while not informing other.

But this is me ranting about stuff...

The issue discussed in their advisory is a well known fact for years.
What's next?...

Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Stephen
Gill
Sent: Wednesday, October 16, 2002 3:20 PM
To: 'Mikael Olsson'
Cc: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] CERT vulnerability note VU# 539363

In my opinion if a stateful firewall claims it can filter at rate X
(64byte packets, etc...), it should be able to filter at that rate under
all conditions. Clearly a 100MB firewall that can be overloaded with
1MB of traffic is not good. I'd argue that if a 100MB firewall can be
overloaded with 34MB of traffic, it's also not a good thing. But then
again, even 100MB of filtering won't save you in a 100MB DoS which is
not all that uncommon.

I'd like to learn some of the other methods being used for mitigation
amongst vendors.

-- steve

-----Original Message-----
From: Mikael Olsson [mailto:mikael.olsson@clavister.com]
Sent: Wednesday, October 16, 2002 7:44 AM
To: Stephen Gill
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363

Stephen Gill wrote:
>
> Thought I'd pass this along.
>
> http://www.kb.cert.org/vuls/id/539363

Although this is something that people need to keep in mind when
picking / designing a firewall, I'd argue that anything north of
a stateless packet filter is going to be vulnerable to these sort
of attacks.

If you keep state, you will be vulnerable to state table overflows.
Period. The only real question is: how much work does the attacker
need to put in before it becomes painful for the networks that the
firewall is protecting? Is being able to resist a 1 Mbps stream
(~4500 pps) "Not vulnerable"? Is being able resist a 34 Mbps stream
(~150 kpps) "Not vulnerable"? Or should every single firewall
vendor report in and say "Vulnerable", and describe what the limit is?

And, yes, ALG-only firewalls can also be overloaded. It's just a
different type of 'state'.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • RE: Vulnerability assessment for small business
    ... > Say the customer has a firewall...but they don't host any services. ... You might just concentrate in 2 points: the firewall and the workstations. ... The main vulnerabilities for workstations that you could test for are their ... similar technology is not quite effective against targeted attacks. ...
    (Pen-Test)
  • Armorlogic Profense Web Application Firewall 2.4 multiple vulnerabilities.
    ... Trustwave published a joint advisory named TWSL2009-001 ... Armorlogic Profense is a Web Application Firewall and load balancing solution. ... These vulnerabilities were discovered during WAF testing by Sandro Gauci of EnableSecurity and Wendel Guglielmetti Henrique of Trustwave's SpiderLabs. ... Profense Web Application Firewall configured in positive model can be evaded. ...
    (Bugtraq)
  • Re: Firewall assessment
    ... Check the OSSTMM methodology, there's a whole section ... about checking vulnerabilities on firewalls and a list ... > This interesting discussion about firewall ... > technical IT security event. ...
    (Pen-Test)
  • Re: [fw-wiz] X server in a Firewall
    ... >> The more code, the more potential vulnerabilities, ... A X server running in a firewall ... I don't like remote access to my firewalls, but if I have to have it, then ... the ssh or web server port used to manage it ...
    (Firewall-Wizards)
  • Re: IIS outgoing http vulnerability
    ... where these "outbound connections" are coming from or going to. ... All of the vulnerabilities on that page, while old, still very closely ... Firewalls generally do not prevent buffer overflows or other attacks. ... You don't really want your firewall to dynamically open up and permit ...
    (microsoft.public.inetserver.iis.security)