Security Basics mailing list archives

RE: Avoiding tunnels

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 1 Mar 2006 13:39:20 -0800

I think if you tell the firewall only to accept HTTP on port 
80, that'll do the trick (requires stateful inspecting firewall).


  Unfortunately, that's not what stateful inspection is.

  When a packet filter receives a packet, it looks at the source,
destination, port numbers and flags, and decides to permit or
drop the packet *in isolation*.
  A *stateful* packet filter maintains a list of current active
connections.  A packet that is appropriate for the "state" of a 
current connection sails on through.  (It might change the state
of the connection-table entry, if, for instance, the FIN or RST
flags are set....)

  That leaves four other cases to be dealt with:

1.  This packet is trying to start a new connection, which matches
a "permit" rule.  Add the connection (in its initial state) to the
connection table.

2.  This packet is trying to start a new connection, which matches
a deny/drop/reject rule.

3.  This packet isn't trying to start a new connection (at least by
normal rules...), and doesn't match an existing connection in the
table.  A non-stateful packet filter would have let this by, but
by being stateful, we can block it.  [I see an awful lot of unsolicited
SYN-ACK packets, and sometimes applications seem to be willing to 
accept that as a connection....]

4.  Special protocols, such as FTP.  Having established initial
contact (see #1), client and server agree to begin additional
connections on arbitrary ports.  With a non-stateful packet filter,
the only way I can permit these protocols is by leaving huge swaths 
of open ports.  But a stateful packet-inspection implementation can
"listen in" on the conversation and make an appropriate entry in the 
connection table (actually, usually, a temporary entry in the "permit"
rulebase).

  You may perhaps have been thinking of "deep inspection", where the
firewall knows about protocol details and so can, for instance, verify
that that stuff using port 80 is really HTTP.

David Gillett



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: Avoiding tunnels Neil (Mar 01)
- RE: Avoiding tunnels David Gillett (Mar 02)
  - Re: Avoiding tunnels Neil (Mar 02)
- <Possible follow-ups>
- RE: Avoiding tunnels Tony Stevenson (Mar 01)
  - Message not available
    - RE: Avoiding tunnels rembrandt (Mar 03)
    - Message not available
    - Re: Avoiding tunnels Brian Loe (Mar 06)
- Re: Avoiding tunnels Ansgar -59cobalt- Wiechers (Mar 01)
  - Re: Avoiding tunnels Javier Hijas (Mar 02)
    - RE: Avoiding tunnels David Gillett (Mar 02)
- RE: Avoiding tunnels Baker, Richard (Mar 03)
- Re: RE: Avoiding tunnels barcajax (Mar 03)