Re: [fw-wiz] A fun smackdown...

From: Marcus J. Ranum (
Date: 05/21/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls"
    To: Chuck Swiger <>
    Date: Sat, 21 May 2005 12:58:02 -0400

    Chuck Swiger wrote:
    >By definition, the IETF is concerned with systems which interoperate over public networks using network-wide conventions and publicly documented standards. What people do with private machines or private networks is up to them, at least so long as they *don't* connect those machines to the Internet.

    You're completely ignoring the fundamental dilemma that I am trying
    to get you to confront. My position in a nutshell:
    - "Standards that don't take security into account are not internet-worthy"
    and you're asserting
    - "If you don't follow standards you break 'legitimate' traffic"

    The problem is that, since the standards don't take security into
    account, the traffic is not 'legitimate' - it's 'dangerous' and a
    security device can and SHOULD interfere with it.

    Maybe the first time someone invents a PMTUD denial of
    service attack you'll "get it."

    >A firewall which breaks ESMTP, or HTTP/1.1, or PMTUD to such machines (typically in a DMZ) significantly impacts legitimate access with questionable gains at best for security, and IMHO is a poor tradeoff.

    Well, since it's a matter of opinion, I don't agree with you. :)

    Let's look at another example. The RFCs for FTP include
    provisions for third party transfer. The PORT command could
    be connected to a different host than the client. Historically,
    that feature was never used. When I wrote the DEC SEAL
    FTP proxy* I realized that this could be used to issue arbitrary
    connections. So I deliberately broke from the RFC and put
    code in to sever a connection that was attempting this.
    So in your terms, since it was in the RFC, it was "legitimate"
    but by trashing all over the holy RFC I made networks much
    more secure.

    So, suppose you're running an older model Gauntlet firewall
    or a DEC SEAL. They trash all over the holy RFC by
    not even knowing what ESMTP is. Congratulations! If
    someone finds a vulnerability that has anything to do
    with ESMTP or any option that can be reached via that
    code path: you're protected.

    >And as for PMTUD, I'd be happy to see a better solution for MTU discovery, short of depending on all intermediate routers to handle IP fragmentation in an efficient and sane fashion. Do you have something better, Marcus...?

    It's kind of you to come to me for all the answers but I'm not a
    networking protocol designer - I'm a security system designer.
    So don't ask me how to implement something better than the
    current PMTUD. On the other hand, I can assert with some
    comfort that if I *did* implement some kind of PMTUD it'd be
    better than the current approach because it would take
    established security techniques and security into account
    in its design.

    (*Yes, hacker kiddies who think you invented FTP bouncing
    in 1995 you are completely wrong. Not only was I there
    first, I contacted the maintainers of BSD and had a check
    added to ruserok() so that the FTP server port was not
    treated as privileged...)

    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls"

    Relevant Pages

    • Re: The New ISO Hacking Standard
      ... will you need to pay to get copies of it like you do for other ISO ... talks about the Open Source Security Testing Methodology Manual. ... So why is the International Standards ... Italy have had their eye on the OSSTMM for years. ...
    • RE: Mitigate FTP
      ... Yes, using ssh/sftp will help; ... For your customer base, I assume they are mostly Windows users; ... Security may be able to fine tune the threshold accordingly. ... Subject: Mitigate FTP ...
    • RE: OSSTMM how good is it?
      ... I believe the OSSTMM is a good framework, in an industry with few public ... it is probably one of the few standards the customer can get for ... It is good because it challenges the perception that many IT Security ... Download FREE whitepaper on how a managed service ...
    • Re: [fw-wiz] iso 17799
      ... I think if we don't share now the marketing droids will win ... > have to battle the standards where they don't make sense (remember ... Though it hasn't been updated in sometime, I bet the firewalls-faq is ... There are tons of books on firewalling and basic security techniques, ...
    • Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
      ... Compliance Is Wasted Money, ... How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? ... Lastly, that is where you are wrong, there is no "base starting point" companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. ... The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC!!! ...