Firewalls: Re: sex, lies, and firewall code

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: sex, lies, and firewall code
From:	Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date:	26 Oct 97 8:31:46 EDT
To:	proberts <proberts . clark . . net @ sybase . com>
Cc:	firewalls <firewalls @ greatcircle . com>

They can can and do protect from the OOB bug.  Now, you might
have a legitimate complaint in that Checkpoint didn't do that until
after the attack was discovered.

    Ryan

-------------------------------------------------------------------------




I think you're missing the point completely here.  What a packet filter
doesn't do is rewrite what are 'legitimate' packets at the transport
layer.  Modifying portions of a packet isn't the same as rewriting it.

For instance, a packet filter won't protect an NT 4.0 base computer from OOB
attacks, and still allow a Solaris one to function.  You _have_ to upgrade
every "protected" machine or deny legitimate OOB packets.  Proxies simply
don't have that problem, fix the gateway and the problem immediately
disappears.

-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Indexed By Date	Previous:	Re: Algorithmically derived passwords From: Kogula Palan <palank @ pc . jaring . my>
Indexed By Date	Next:	Re: Algorithmically derived passwords From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Indexed By Thread	Previous:	RE: sex, lies, and firewall code From: Jeromie Jackson <jeromie @ garrison . com>
Indexed By Thread	Next:	Re: sex, lies, and firewall code From: "Paul D. Robertson" <proberts @ clark . net>