The overall point I've been trying to make (to
folks who claim otherwise) is that SPFs
*CAN* filter anything that a AG proxy can.
I don't claim anything about whether SPFs can
do it better or worse, or if they do it in current
implementations, or how much trouble it is
or isn't to write equivalent code, or any of that.
Just that they can.
I take exception to folks (I guess especially folks
who work for AG vendors) claiming that they can't
because of their design.
So, regarding your question about Telnet and FTP,
I don't know if Firewall-1 would protect from some new bug
related to the OOB flag, I'd guess no. The Winnuke bug
was very simplistic.. if the OOB flag was set at all, down
goes the Windows box.. (in the second variation, the OOB
flag had to be set, and the OOB pointer had to be set
a certain way.) For Telnet and FTP, they normally use
OOB stuf anyway, so any attack would probably be
a bit more involved. For an arbitrary new attack (of any
complexity) AGs aren't neccessarily going to help.
An example would be: One could write a really good
AG for SMTP that catches all the know Sendmail
exploits, but it won't (neccessarily) stop the hole
in the next version of Sendmail.
net on 10/26/97 06:31:57 PM
To: Ryan Russell/SYBASE
cc: firewalls @
Subject: Re: sex, lies, and firewall code
On Sun, 26 Oct 1997, Ryan Russell wrote:
> To answer your question, Firewall-1 can pass or
> not pass OOB on a per-app basis, so as to
> protect from that bug, but still let FTP and Telnet work.
> BTW, your point (as stated) in the note I was
> replying to was not "Firewall-1 didn't protect from
> it automatically" (which would be correct) it was "SPFs
> CAN'T filter that stuff, because..." which is wrong.
I'm not sure it's totally wrong, as you state it is on a per-app basis,
so if telnet or FTP were susceptable to an OOB problem pre-fix (I'm not
sure if they were or were not, as I never tested OOB against those
services either in or outbound), then the statement would still stand as
true, since I said something along the lines of "CAN'T filter and still
allow functionality to non-affected systems" if they aren't susceptable in
exploit as published, then the statement was indeed incorrect as stated and
should be modified to state 'potentially'. Either way, your clarification
welcome, and duly noted.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."