Bugtraq mailing list archives
Crafted Packets Handling by Firewalls - FW-1 case
From: ofir () PACKET-TECHNOLOGIES COM (Ofir Arkin)
Date: Thu, 20 Jan 2000 08:33:38 +0200
I will try to focus more on the subject. FW-1 do accept: ACK, SYN-ACK, NULL, FIN-ACK (and more) as valid traffic if they match the rule base, even if no connection establishment was in progress and no session state was in the firewalls table. That means no SYN was sent from the inside machine no SYN-ACK from the outside machine and no ACK back to finish the 3 way handshake [This is connection establishement from the inside out]. Just a "nowhere from" SYN-ACK traveling from the attacker to the probed host(s). I have seen before Lance Spitzners article about "Understanding the FW-1 State table" http://www.enteract.com/~lspitz/fwtable.html (all lance papers are worth reading!) and it is validating what I have found a few month ago. If FW-1 was checking for correctness, if the SYN-ACK belongs to a connection establishment in progress, no problem would have occur. Since a SYN from an inside machine should indicate the starting of the 3 way handshake, that a SYN-ACK should be returned with the same per of sockets. But since no "state" was made in the table for this connection no firewall should accept this SYN-ACK. Afrer the SYN (or other combination of the TCP Flags from the outside) to an open port (and IP) in the FireWall rule base openes a session in the statefull table any other packet can travel from the outside -> inside when the only checking to be made would be see if it match the sockets!. This opens a welth of opportunities to the attacking part. OS Detection, Port Mapping and other tactics to map a network enjoy this behavior. If CheckPoint FW-1 have a problem with the start/stop process than it had to build another mechanism to remember. Understanding that one of the Firewalls obligations is to examine valid traffic is essential. He is, in most cases, the sole defender of a network. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ofir Arkin Tel: 972-3-5587001 Security QA Manager Fax: 972-3-5587003 Packet Technologies http://www.packet-technologies.com ofir () packet-technologies com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- Re: IIS still revealing paths for web directories, (continued)
- Re: IIS still revealing paths for web directories Chris Tobkin (Jan 12)
- Altavista Free Internet Security Plex Inphiniti (Jan 14)
- Re: Altavista Free Internet Security Bill (Jan 17)
- Trusted process on an untrusted machine? Mike Frantzen (Jan 18)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 19)
- Re: Trusted process on an untrusted machine? Mike Frantzen (Jan 19)
- Re: Trusted process on an untrusted machine? Pavel Machek (Jan 20)
- Re: Trusted process on an untrusted machine? Tim Newsham (Jan 19)
- Re: Trusted process on an untrusted machine? Anonymous Anonymous (Jan 19)
- Re: Trusted process on an untrusted machine? Crispin Cowan (Jan 19)
- Crafted Packets Handling by Firewalls - FW-1 case Ofir Arkin (Jan 19)
- Rh 6.1 initial root password encryption Ken Barber (Jan 20)
- Re: Rh 6.1 initial root password encryption Fabian Kroenner (Jan 22)
- Re: Crafted Packets Handling by Firewalls - FW-1 case Darren Reed (Jan 20)
- Microsoft Security Bulletin (MS00-005) Microsoft Product Security (Jan 17)
- Re: Microsoft Security Bulletin (MS00-005) bugtraq () NS DOOMSDAY COM (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Matt Davis (Jan 19)
- Re: Microsoft Security Bulletin (MS00-005) Tabor J. Wells (Jan 19)
- Unixware ppptalk what's your style? (Jan 19)
- Re: Unixware ppptalk Andrew Malcolm (Jan 21)
- Re: IIS still revealing paths for web directories Henrik Nordstrom (Jan 15)