Security Basics mailing list archives
RE: Avoiding tunnels
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 1 Mar 2006 13:39:20 -0800
I think if you tell the firewall only to accept HTTP on port 80, that'll do the trick (requires stateful inspecting firewall).
Unfortunately, that's not what stateful inspection is. When a packet filter receives a packet, it looks at the source, destination, port numbers and flags, and decides to permit or drop the packet *in isolation*. A *stateful* packet filter maintains a list of current active connections. A packet that is appropriate for the "state" of a current connection sails on through. (It might change the state of the connection-table entry, if, for instance, the FIN or RST flags are set....) That leaves four other cases to be dealt with: 1. This packet is trying to start a new connection, which matches a "permit" rule. Add the connection (in its initial state) to the connection table. 2. This packet is trying to start a new connection, which matches a deny/drop/reject rule. 3. This packet isn't trying to start a new connection (at least by normal rules...), and doesn't match an existing connection in the table. A non-stateful packet filter would have let this by, but by being stateful, we can block it. [I see an awful lot of unsolicited SYN-ACK packets, and sometimes applications seem to be willing to accept that as a connection....] 4. Special protocols, such as FTP. Having established initial contact (see #1), client and server agree to begin additional connections on arbitrary ports. With a non-stateful packet filter, the only way I can permit these protocols is by leaving huge swaths of open ports. But a stateful packet-inspection implementation can "listen in" on the conversation and make an appropriate entry in the connection table (actually, usually, a temporary entry in the "permit" rulebase). You may perhaps have been thinking of "deep inspection", where the firewall knows about protocol details and so can, for instance, verify that that stuff using port 80 is really HTTP. David Gillett --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Avoiding tunnels Neil (Mar 01)
- RE: Avoiding tunnels David Gillett (Mar 02)
- Re: Avoiding tunnels Neil (Mar 02)
- <Possible follow-ups>
- RE: Avoiding tunnels Tony Stevenson (Mar 01)
- Message not available
- RE: Avoiding tunnels rembrandt (Mar 03)
- Message not available
- Re: Avoiding tunnels Brian Loe (Mar 06)
- Message not available
- RE: Avoiding tunnels David Gillett (Mar 02)
- Re: Avoiding tunnels Javier Hijas (Mar 02)
- RE: Avoiding tunnels David Gillett (Mar 02)