How do the various commercial offerings handle fragmented packets ?
If I let fragments through, I could be letting through a TCP SYN.
If I've set the MTU of my outgoing interface to 28 (a multiple of 8),
it will put source/dest port in 1st packet and the TCP flags in the 3rd
(seq/ack go in the 2nd). Obviously filtering based upon the TCP flags
is not possible and doing any filtering on _anything_ in the TCP header
is going to be incorrect at some point. I might add that an MTU of 28
is the minimum size for meaningful fragmentation to occur of a TCP/UDP
or even ICMP packet (with no IP options). Although the fragments will
timeout upon passing through, what is the capacity here for a malicios
attack to be formed by sending fragments which pass through the filter
and form `different packets' on the other side ? (This is just some
speculation on my part of what might be possible).
Solaris2 sets the "don't fragment" flag, which is of some help to us.
What should the application gateway part of the firewall be doing ?
Should the software set the "don't fragment" flag - if only to be
'filter-friendly' ?
Obviously, dropping fragments is the best thing to do unless you don't
care what is inside them past the IP header.
Note, however, that certain IP options (such as source routing) must
be in the fragment headers but others can be excluded.
darren
Follow-Ups:
|
|
