How Firewalls Other Than Kerio 2.1.5 Handle Fragments By Default

Discussion in 'other firewalls' started by noway, Oct 29, 2005.

Thread Status:
Not open for further replies.
  1. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Just a little more on this fragments thing....

    In Atguard, fragment blocking was not configurable in the GUI. You needed to add a registry entry: BlockIPFragments

    In NIS/NPF (??-2005-??), the recommended setting was to allow fragments unless they resembled an attack.

    In ZAPlus 4.5.594, fragment blocking is OFF by default, although it can be turned on.

    In other firewallso_Oo_O?.....

    Did the designers of these other firewalls (some still getting more extensive use than Kerio 2.1.5) look at this as something that could cause problems if blocked by default, did they view it as unnecessary, or just not know any better?
     
  2. Arup

    Arup Guest

    The point is, today, frag packs are considered dangerous way to hack, they are an active tool in SPAM but also the cause of system compromise.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you elaborate on those two statements and where you got your information?

    thanks,

    -rich
     
  4. Arup

    Arup Guest

    Rmus,

    Just Google Frag packet danger issue and you will get myridads of information on it.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I may have misunderstood your statement - I thought you meant that these attacks were being less frequently used.

    -rich
     
  6. Arup

    Arup Guest

    No probs Rmus, are you still on Kerio 2.15? Also have you visited DSL Kerio forums lately?
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes

    Yes - several times a week.
     
  8. Arup

    Arup Guest

    Rmus,

    Try putting CHX and then check your logs and see what you get with Kerio and CHX running.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What differences would I notice?
     
  10. Arup

    Arup Guest

    See what your logs reveal, give it a try.
     
  11. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Presumably if you have a router firewall this is not necessary. I have just run the PC Flank tests with Kerio disabled and it still comes up clean. Tried their exploits test which includes fragged packets. No problems.
     
  12. Arup

    Arup Guest

    Yep, with a good SPI router you will be fully stealthed and inbound firewall is redundant and un-necessary, however router firewall is also dependant on the embedded software and therefore even though it might give you stealth, many of the cheaper ones also let in UDP, Linksys for one has been lately doing so, for SPI upgrades, routers are heavily dependant on firmware upgrade. Only true SPI ICSA certified routers which come at $$$ have the capability of something like CHX, 8 Signs or other firewalls. However, if inbound stealth is all you want, any router would successfully stealth you, some even have protection from DDoS etc.
     
  13. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I have a Netgear 834 so not sure how that rates. Probably no better. It was a good reminder about updates since I have not done that in a long while. Thanks
     
  14. Arup

    Arup Guest

    David,

    A true SPI router will have ICSA certification, only CISCO and other top end high bucks routers fit the bill, not really worth it in my book, would rather buy a old PC and run Linux firewall in it and use it as a router.
     
  15. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks Arup

    Tried that with Linux a few years ago, although I got everything working I just did not like that o/s. Such a hassle to get anything installed. It was continual detective work to work out what bit of the library was missing. The firewalls at that time were all scripted - ok if you know what you are doing, but if not so easy just to miss something essential out. Also ran so much slower than windows, but that is another subject. After 5 months I ditched it.
     
  16. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    Fragmentation was and in some cases is still necessary to send data through multiple transmission mediums (eg. Ethernet, optic fiber). Each network uses its own data frame format, and each format has a limit on how much data can be sent in a single frame. Hence the reason for MTUs. Using Path MTU Discovery protocol to fit data to the minimum MTU along the network path is one way to avoid fragmentation. It should be noted that this requires ICMP to be enabled, and with many firewalls adopting the stealth methodology, allowing fragmentation is the only way for this kind of traffic to proceed through the network.

    This being all said, it is unlikely that you will run into major troubles by disabling fragmentation on a home PC (with no local network) which accesses the Internet. PPP has an assumed MTU of 1500 bytes.
     
  17. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    As far as I know using fragmentation in a remote attack usually results in DoS conditions, although some vulnerable systems may allow remote code execution because of their handling of fragmentation. It is doubtful that most zombie spam servers were compromised because of poor fragmentation handling. I believe *the* papers to read on this issue are 'Fragmentation considered harmful (?someday?) and the sequel written by someone else 'Fragmentation considered even more harmful".

    I don't think this necessarily true. I'm sure Cisco, who came up with the concept has some equipment which is not ICSA certified, even if it may support a range of protocols SPI-wise. It is my opinion that certifications like ICSA really shoudn't be relied upon as the sole security-indicator of a product. You may be surprised to learn just what qualifies as a pass, so read the details of the test thoroughly if you are basing your buying decision on such a certification.
     
  18. Arup

    Arup Guest

    ICSA would be at least a proper path to take in this world filled with different brand of routers, at least for a newbie, a safer alternative. I do agree, router's SPI tables are truly a hush hush affair, one of the reasons I would rather run a Linux box or bridge router and run it with inbound packet filter.
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    ICSA certification comes in different flavors, including Residential for hardware. All must meet a baseline standard and then additional requirements for the category they are seeking certification in.

    As ghost16825 mentioned, the criteria are available on the ICSA Labs site and make for interesting reading (what to look for in a product, certified or not). They also have a PC Firewall certification.

    Regards,

    CrazyM
     
  20. Arup

    Arup Guest

    Yep, so a certification is at least a good basepoint to start with.

    Also wanted to add, I have serious doubt about the capabilities of cheap routers SPI, case in point, I tried out a real cheap router from Huawei, I noticed that it would freeze up from time to time if PPPoE dial up was implemented, found out it had incompatibilities with enternet protocol used by most ISPs, I use World Timer from Pawprint, to snyc it, needs UDP access rule with CHX, now with the router, it just let it in instead of blocking it as it should, all routers give inbound stealth due to its very nature of NAT, how effective its SPI is, one will never know. If we look through the net on router problems, common is the connection freeze among various brands of rotuers, I for one just bridge my router and use the fantastic RASPPPoE of Robert Schabach and use CHX for inbound filtering, Zone Alarm and others like Outpost etc. would work fine too in this setup and would be far superior than router's firewall, also most of us even with routers have to use a software firewall for outbound anyways, so why not inbound as well.
     
    Last edited by a moderator: Nov 1, 2005
Loading...
Thread Status:
Not open for further replies.