Firewall Wizards mailing list archives

Re: Crafted Packets Handling by Firewalls

From: Steve.Bleazard () wdr com
Date: Thu, 20 Jan 2000 15:45:45 +0800

     One of the reasons CP passes such packets is closely linked with high 
     availability.  Trying to fully maintain state across two machines so 
     that auto failover works is too hard.
     
     To filter and still allow HA, CP must allow all TCP flag states thro' 
     at all times.
     
     They could of course have an option to track the connection state when 
     not in a HA config.  I guess histerical raisens come into the picture 
     here.
     
     Steve


______________________________ Reply Separator _________________________________
Subject: Crafted Packets Handling by Firewalls
Author:  ofir (ofir () packet-technologies com) at unix/o2=mime
Date:    19/1/00 4:30 PM


Most Firewalls will not check for the accuracy of the packet.

For example: CheckPoint Firewall-1 

Assume port 80 is open to the www server. It lets a SYN-ACK 
packet go throw  when no SYN was first sent from the probing host. 
SYN-ACK is not the only example, SYN-FIN, RST , FIN,
FIN-ACK basically any TCP flag crafted packet.

This is known and not new. But why a "state full" firewall does 
not check for this behavior?

The question is why firewalls do not check for accuracy of
some TCP/IP suite traffic.

This is a BASIC thing to check.

I am not arguing that a firewall should validate all traffic
but it should at least check for abnormalities that are so 
obvious.

This should also eliminate some of the OS detection
methods. 

Sure you can avoid some of the OS detection methods by tweaking 
your open source kernel. I agree with Sipmle Nomad.

But what can you do when you are not dealing with open source?


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ofir Arkin                      Tel: 972-3-5587001     
Security QA Manager    Fax: 972-3-5587003
Packet Technologies     http://www.packet-technologies.com
                                   ofir () packet-technologies com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Current thread:

Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)