How Firewalls Other Than Kerio 2.1.5 Handle Fragments By Default

Just a little more on this fragments thing....

In Atguard, fragment blocking was not configurable in the GUI. You needed to add a registry entry: BlockIPFragments

In NIS/NPF (??-2005-??), the recommended setting was to allow fragments unless they resembled an attack.

In ZAPlus 4.5.594, fragment blocking is OFF by default, although it can be turned on.

In other firewalls?.....

Did the designers of these other firewalls (some still getting more extensive use than Kerio 2.1.5) look at this as something that could cause problems if blocked by default, did they view it as unnecessary, or just not know any better?

 

The point is, today, frag packs are considered dangerous way to hack, they are an active tool in SPAM but also the cause of system compromise.

 

Can you elaborate on those two statements and where you got your information?

thanks,

-rich

 

Rmus,

Just Google Frag packet danger issue and you will get myridads of information on it.

 

I may have misunderstood your statement - I thought you meant that these attacks were being less frequently used.

-rich

 

No probs Rmus, are you still on Kerio 2.15? Also have you visited DSL Kerio forums lately?

 

Yes

Yes - several times a week.

 

Rmus,

Try putting CHX and then check your logs and see what you get with Kerio and CHX running.

 

What differences would I notice?

 

See what your logs reveal, give it a try.

 

Presumably if you have a router firewall this is not necessary. I have just run the PC Flank tests with Kerio disabled and it still comes up clean. Tried their exploits test which includes fragged packets. No problems.

 

Yep, with a good SPI router you will be fully stealthed and inbound firewall is redundant and un-necessary, however router firewall is also dependant on the embedded software and therefore even though it might give you stealth, many of the cheaper ones also let in UDP, Linksys for one has been lately doing so, for SPI upgrades, routers are heavily dependant on firmware upgrade. Only true SPI ICSA certified routers which come at $$$ have the capability of something like CHX, 8 Signs or other firewalls. However, if inbound stealth is all you want, any router would successfully stealth you, some even have protection from DDoS etc.

 

I have a Netgear 834 so not sure how that rates. Probably no better. It was a good reminder about updates since I have not done that in a long while. Thanks

 

David,

A true SPI router will have ICSA certification, only CISCO and other top end high bucks routers fit the bill, not really worth it in my book, would rather buy a old PC and run Linux firewall in it and use it as a router.

 

Thanks Arup

Tried that with Linux a few years ago, although I got everything working I just did not like that o/s. Such a hassle to get anything installed. It was continual detective work to work out what bit of the library was missing. The firewalls at that time were all scripted - ok if you know what you are doing, but if not so easy just to miss something essential out. Also ran so much slower than windows, but that is another subject. After 5 months I ditched it.

 

Fragmentation was and in some cases is still necessary to send data through multiple transmission mediums (eg. Ethernet, optic fiber). Each network uses its own data frame format, and each format has a limit on how much data can be sent in a single frame. Hence the reason for MTUs. Using Path MTU Discovery protocol to fit data to the minimum MTU along the network path is one way to avoid fragmentation. It should be noted that this requires ICMP to be enabled, and with many firewalls adopting the stealth methodology, allowing fragmentation is the only way for this kind of traffic to proceed through the network.

This being all said, it is unlikely that you will run into major troubles by disabling fragmentation on a home PC (with no local network) which accesses the Internet. PPP has an assumed MTU of 1500 bytes.

 

As far as I know using fragmentation in a remote attack usually results in DoS conditions, although some vulnerable systems may allow remote code execution because of their handling of fragmentation. It is doubtful that most zombie spam servers were compromised because of poor fragmentation handling. I believe *the* papers to read on this issue are 'Fragmentation considered harmful (?someday?) and the sequel written by someone else 'Fragmentation considered even more harmful".

I don't think this necessarily true. I'm sure Cisco, who came up with the concept has some equipment which is not ICSA certified, even if it may support a range of protocols SPI-wise. It is my opinion that certifications like ICSA really shoudn't be relied upon as the sole security-indicator of a product. You may be surprised to learn just what qualifies as a pass, so read the details of the test thoroughly if you are basing your buying decision on such a certification.

 

ICSA would be at least a proper path to take in this world filled with different brand of routers, at least for a newbie, a safer alternative. I do agree, router's SPI tables are truly a hush hush affair, one of the reasons I would rather run a Linux box or bridge router and run it with inbound packet filter.

 

ICSA certification comes in different flavors, including Residential for hardware. All must meet a baseline standard and then additional requirements for the category they are seeking certification in.

As ghost16825 mentioned, the criteria are available on the ICSA Labs site and make for interesting reading (what to look for in a product, certified or not). They also have a PC Firewall certification.

Regards,

CrazyM

 

Yep, so a certification is at least a good basepoint to start with.

Also wanted to add, I have serious doubt about the capabilities of cheap routers SPI, case in point, I tried out a real cheap router from Huawei, I noticed that it would freeze up from time to time if PPPoE dial up was implemented, found out it had incompatibilities with enternet protocol used by most ISPs, I use World Timer from Pawprint, to snyc it, needs UDP access rule with CHX, now with the router, it just let it in instead of blocking it as it should, all routers give inbound stealth due to its very nature of NAT, how effective its SPI is, one will never know. If we look through the net on router problems, common is the connection freeze among various brands of rotuers, I for one just bridge my router and use the fantastic RASPPPoE of Robert Schabach and use CHX for inbound filtering, Zone Alarm and others like Outpost etc. would work fine too in this setup and would be far superior than router's firewall, also most of us even with routers have to use a software firewall for outbound anyways, so why not inbound as well.