AIX firewall capabilities

ITEM: RTA000153580



Q:                                                                              
Topic thread:                                                                   
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)                               
 IBM COMMERCEPOINT                                                              
  IBM eNetwork Firewall V3.2 for AIX                                            
                                                                                
A customer has submitted an Request for Proposal looking for the                
following capabilities in our AIX firewall:                                     
                                                                                
- IP Fragmentation control                                                      
- Protection from Teardrop, TCP Syn Flood, Ping of Death                        
- Dynamic IP ports control (RPC, SQL*Net V2, Netbios)                           
Can the IBM firewall provide these?  Thanks.                                    
                                                                                
                                                                               
                                                                                
A:                                                                              
IP Fragmentation control is handled by the IBM Firewall via one of              
the pre-defined services.  The Firewall administrator can determine             
multiple possibilities on how fragmented IP pacets can be handled.              
By making selections via the Firewall GUI for Fragmentation control,            
the Firewall rules are automatically generated.                                 
                                                                                
Teardrop, Ping of Death, etc. are all various forms of 'denial of               
service' attacks, and most of these attacks are successful when                 
there is no firewall in place to protect an enterprises network.                
Another reason these attacks can be successful is that targeted systems         
have not been patched by their system administrator when new fixes              
against these attacks become available.  But when a firewall is put in          
place, it reduces the exposure to denail-of-service attacks because it         
prevents rogue packets from flowing into the secure packets.  Worst             
case, the Firewall may shut down as a result of this attack, but the            
internal network would be safe, therefore, the firewall has done its            
job properly.                                                                   
                                                                                
The Dynamic IP ports control I'll have to research.  I'll update the            
PMR as soon as I have an answer, and try to get something to you by             
tomorrow.                                                                       
                                                                                
Thanks for using ASKQ                                                          
                                                                                
S e a r c h - k e y w o r d s:                                                  
denial of service                                                               
ping of death                                                                   
teardrop attack                                                                


WWQA: ITEM: RTA000153580 ITEM: RTA000153580
Dated: 11/1998 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:41
Comments or suggestions? Contact us