On Sun, 26 Oct 1997, Ryan Russell wrote:
> They can can and do protect from the OOB bug. Now, you might
> have a legitimate complaint in that Checkpoint didn't do that until
> after the attack was discovered.
That was the main point. It's forwarding packets, or the initial
vulnerability wouldn't have been there. I'm still not convinced that the
'protection' offered for the current bug covers some other rumored
problems with the same class of attack with other OOB packets, but until I
get lots of free time to generate raw packets, I'll leave that alone.
The initial Checkpoint reaction was "Block all OOB packets", obviously
breaking FTP and Telnet functionality. That tells me that there is a
flaw in the base technology that allows transport layer attacks. Granted
it was fixed, but who's to say that there aren't more transport layer
holes out there? Will you have to wait for a fix to each one? That's a
problem with packet filters that isn't there in hardened bastion hosts
running proxies. Even if the gateway is vulnerable, the hosts behind it
aren't. Since we tend to upgrade internal machine much more often than
gateways, I find that a major issue. What if the OOB attack's signature
was the same as a legitimate packet for a different OS, how would that be
handled in Checkpoint's world?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
Follow-Ups:
|
|
