> Brian> If you are referring to the latter however, you have a level of
> Brian> filtering that is much better than standard filtering. The
> Brian> Secure Access add-on for the Ascend products is indeed a
> Brian> "stateful packet filtering" mechanism!! This is, IMHO, much
> Brian> better than the filtering that can be achieved with the
> Brian> commonly available routers. Just setup an FTP filter and
> Brian> you'll know. :-)
> At the risk of starting another religious war, I have a question about
> the Ascend stateful packet filtering...
Not a religious war - it is a valid question that can (and should) be
asked of any packet filter vendor. As far as I know, all the big players
have already addressed the problem in current software revisions.
> Do the Ascend products allow you to refuse fragmented packets, or to
> defrag them? If not, stateful packet filtering is pretty useless,
You do not need to completely refuse fragmented packets. You simply
need to make sure that the packets you receive match certain criteria.
> given that a skilled attacker can simply frag the packet so that a
> decision is made on incomplete information (i.e., source/destination
> address, but not source/destination ports...)
The Ascend Secure Access product follows the recommendations found in
RFC 1858 "Security Considerations for IP Fragment Filtering" which
prevents packets that are too small to contain complete information
from passing through the router. This is called a "Tiny Fragment
Attack". Another type of attack discussed in RFC 1858 is an "Overlapping
Fragment Attack" which is also stopped (automatically) by Ascend Secure
> Yes, there are some folks who will tell me I'm insane for actually
> worrying about that (how good is good enough?)
No, you are not insane. The good news is the problem is generally
known and that Ascend does address it in Secure Access.
For more information, RFC 1858 includes very good summaries that explain
how the attacks work and how to prevent the attacks ("hats off" to the