Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: an error in the NMAP docs?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 5 Apr 2005 08:52:12 -0700
  A *stateful* packet filter only allows response traffic back in
if it saw the initial traffic going out.  BUT NOT ALL PACKET FILTERS
ARE STATEFUL.

  DNS requests are normally made using UDP, but sometimes the answer
is "here is a partial result, but the whole result is available if
you ask again via TCP".  Admins who don't have details of this mechanism,
but who *do* know that DNS falls back to TCP when the result set is large,
may expect the server to open a TCP connection to the client to return
this result, and so configure things to permit that.  (It was only within
the last month that *I* learned how this really works....)

  In normal (non-PASV) FTP, the server opens the data connection back to
the client, sourced from port 20.  IF you allow clients to talk non-PASV
FTP, you have to allow this or FTP won't work.
  A stateful packet filter will observe the FTP *control* connection 
(outbound to port 21) and open the negotiated port back from the server
as needed.  But there are still plenty of networks where a stateless packet
filter has to assume inbound connections from port 20 are FTP data 
connections, and the NMAP docs are correct that violating this assumption
makes for a pretty convenient gaping security hole.

David Gillett



-----Original Message-----
From: Michael Herz [mailto:mherz () uwaterloo ca]
Sent: Friday, April 01, 2005 8:05 AM
To: security-basics () securityfocus com
Subject: an error in the NMAP docs?


Hi all,

Is there an error in the NMAP docs? The --source_port section says:

"Many naive firewall and packet filter installations make an 
exception in
their rule-set to allow DNS (53) or FTP-DATA (20) packets to  
come  through
and establish a connection. Obviously this completely 
subverts the security
advantages of the firewall since intruders can just 
masquerade  as FTP or
DNS by modifying their source port."

This implies that the hole in a packet filtered machine 
exists if it has
allowed inbound DNS or FTP connections. I don't believe this 
is true. I
think the hole only exists if the machine has allowed 
outbound (ie client)
connections from the machine. For example if the machine 
allowed outbound
DNS client requests to the world, using --source_port 53 
would exploit the
hole.

Any comments would be appreciated.
Mike


--------------------------------------------------------------
-------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified 
information security 
professionals.  Norwich University is fulfilling this demand 
with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity 
to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: