Does Packet Reassembly Pose a Security Risk?
FireWall-1 performs virtual packet reassembly, and does not send a packet until all its fragments have been collected. The algorithm used is stricter than the standard packet reassembly algorithm, and does not permit overlays. Note: Since IP specifications forbid a router from reassembling IP fragments, FireWall-1 does not send the reassembled packet but rather the fragments as FireWall-1 received them.