Re: [fw-wiz] Firewalls that generate new packets..
- From: "Darden, Patrick S." <darden@xxxxxxxx>
- Date: Wed, 28 Nov 2007 09:29:09 -0500
Marcus J. Ranum
Let's take MITM and DOS off the table. No firewall will
protect you against either of those.
I've addressed the MITM and DOS issues. I don't agree
with you, and I have presented my reasoning.
Does a router with ACL+"established" let unsolicited
RSTs through? I thought that all that got through was
SYN, unless it had an ACK. And to do an RST with
an active connection don't you need the sequence #?
That would require a MITM, right?
Yep, it will. Any firewall that does not depend on
tcp sequence #s will allow such an attack.
The hard thing I had to wrap my brain around was the
observation that between a router+ACLs combined
with the state that is held in the TCP stack of the
target, you've got exactly the same thing (and often
quite a bit better!) than a "stateful" firewall.
I respecfully disagree for all the reasons I have outlined
before.... Sum: tcp sequence #s make a difference.
--Patrick Darden
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: AMuse
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Darren Reed
- Re: [fw-wiz] Firewalls that generate new packets..
- References:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Marcus J. Ranum
- Re: [fw-wiz] Firewalls that generate new packets..
- Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Index(es):
Relevant Pages
|
|
