Security Basics mailing list archives
RE: an error in the NMAP docs?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 5 Apr 2005 08:52:12 -0700
A *stateful* packet filter only allows response traffic back in if it saw the initial traffic going out. BUT NOT ALL PACKET FILTERS ARE STATEFUL. DNS requests are normally made using UDP, but sometimes the answer is "here is a partial result, but the whole result is available if you ask again via TCP". Admins who don't have details of this mechanism, but who *do* know that DNS falls back to TCP when the result set is large, may expect the server to open a TCP connection to the client to return this result, and so configure things to permit that. (It was only within the last month that *I* learned how this really works....) In normal (non-PASV) FTP, the server opens the data connection back to the client, sourced from port 20. IF you allow clients to talk non-PASV FTP, you have to allow this or FTP won't work. A stateful packet filter will observe the FTP *control* connection (outbound to port 21) and open the negotiated port back from the server as needed. But there are still plenty of networks where a stateless packet filter has to assume inbound connections from port 20 are FTP data connections, and the NMAP docs are correct that violating this assumption makes for a pretty convenient gaping security hole. David Gillett
-----Original Message----- From: Michael Herz [mailto:mherz () uwaterloo ca] Sent: Friday, April 01, 2005 8:05 AM To: security-basics () securityfocus com Subject: an error in the NMAP docs? Hi all, Is there an error in the NMAP docs? The --source_port section says: "Many naive firewall and packet filter installations make an exception in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port." This implies that the hole in a packet filtered machine exists if it has allowed inbound DNS or FTP connections. I don't believe this is true. I think the hole only exists if the machine has allowed outbound (ie client) connections from the machine. For example if the machine allowed outbound DNS client requests to the world, using --source_port 53 would exploit the hole. Any comments would be appreciated. Mike -------------------------------------------------------------- ------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- an error in the NMAP docs? Michael Herz (Apr 04)
- Re: an error in the NMAP docs? Barrie Dempster (Apr 05)
- RE: an error in the NMAP docs? David Gillett (Apr 06)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- RE: an error in the NMAP docs? David Gillett (Apr 07)
- RE: an error in the NMAP docs? Michael Herz (Apr 07)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- <Possible follow-ups>
- RE: an error in the NMAP docs? Fields, James (Apr 05)