Proxy 2.0 secure?

tqbf@pobox.com tqbf@pobox.com
Fri, 26 Jun 1998 01:21:26 -0500 (CDT)


> that should be further investigated. (Cyberguard, for instance, happily
> passes all fragments #2 and up through the firewall, both ways, unlogged.
> Sure. Filtering is done on #0 (#1 is dropped), but statefullness should
> enter into the equation somewhere). Many of them had trouble (or a complete

This is a security flaw, and should be reported. There are platforms that
will reassemble fragment streams that don't start at offset 0, as if the
first received offset was actually 0. The purpose of a firewall is to
shield vulnerable hosts from their own problems.

Of course, statefulness isn't the answer to the problem; proxying is. =)

-----------------------------------------------------------------------------
Thomas H. Ptacek	                   SNI Labs, Network Associates, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf	 "If you're so special, why aren't you dead?"