Great Circle Associates Firewalls
(July 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Re[2]: Ascend pipeline products.
From: lists @ lina . inka . de (Bernd Eckenfels)
Date: Wed, 31 Jul 1996 01:44:27 +0200 (MET DST)
To: cmcurtin @ research . megasoft . com
Cc: Brian_Murrell @ bctel . net, jeromie @ garrison . com, firewalls @ GreatCircle . COM
In-reply-to: <199607301113 . HAA19837 @ goffette . research . megasoft . com> from "C Matthew Curtin" at Jul 30, 96 07:13:56 am 
Hi,

> Do the Ascend products allow you to refuse fragmented packets, or to
> defrag them? If not, stateful packet filtering is pretty useless,
> given that a skilled attacker can simply frag the packet so that a
> decision is made on incomplete information (i.e., source/destination
> address, but not source/destination ports...)

With a statefull filter you can simply Check syn/ack sequence numbers to
block out packages with dont belong to exisitng connections. (of course I
dont know if Ascend does this. At least this is better than fragment
blocking/defragemnting).

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels @
 Wittumstrasse13 .
 76646Bruchsal .
 de --
 ( .. )  ecki @
 lina .
 {inka .
 de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes @
 irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy
Follow-Ups:
References:
Indexed By Date Previous: RE: Java security
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Next: Re: How secure is xinetd's binding to specific interfaces
From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Thread Previous: Re: Re[2]: Ascend pipeline products.
From: Aydin Edguer <edguer @ MorningStar . Com>
Next: Re: Re[2]: Ascend pipeline products.
From: "Jim Thompson" <jim @ SmallWorks . COM>
Google
 
Search Internet Search www.greatcircle.com