Re: How stateful is stateful inspection?

["Sean Costello" <xlate () home com>]

Lance,

the only attacks I'm currently aware of using mangeled 
seq & ack #'s in the packet also heavily relies on an OS's
inability to deal with packet fragmentation (la tierra I 
think...? something like that...).

FW1 inherently will not route a fragmented packet 
before it has been fully reassembled.  This is known as 
the fragmentation engine and provides inherent 
protection against things like the PING of death and so 
on.  

In summary it eliminates any one of many exploitations
of various vendors poorly desisigned reassembly 
mechanisms.

I don't know of any attacks which soley rely on the just
ability to manipulate the seq's & ack's so as to get 
anything more than a rst connection.  

Nor can I determine that any more damage can be done 
than they are inherently able to cause just by virtue of 
having a given port connection.

I realise that it isn't the most secure point of view but it
seems that any alternative would inccure an extremely 
high price in performance and overhead.

Couldn't an IDS system key on the inevitable and
numerous RST's generated by a protected client.  If 
more than two or three resets occure on a given clients
connection.  Seq & acks could then be sampled to 
assure the integrity and legitimacy of a connection 
which was deemed as suspicous.

Once confirmed the suspect connections could then be 
reported to the SAM and removing them as a potential 
threat.

This seems to me to be the far more efficient means of
locking down and reporting any attempt for abusing these 
attributes.

just my two-cents...

Sean Costello
Network Engineer
xlate () iname com




-----Original Message-----
From: Lance Spitzner <spitzner () dimension net>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Friday, July 09, 1999 6:53 PM
Subject: How stateful is stateful inspection?


> Recently I've been doing alot of research into how
> stateful inspection works, specifically on CP FW-1.
> I was hoping some of you FW-1 savay firewall-wizards
> could review the whitepaper I posted and give it a sanity
> check.
>
> I developed a PERL script that takes the FW connections
> table and outputs it into human readable form.  I then 
> built a variety of different packets and sent them through
> the firewall.  With the PERL script, I was able to see how 
> connections were established and maintained in the state 
> table.  All results and source code can be found at 
> http://www.enteract.com/~lspitz/fwtable.html
>
> I'm hoping to validate (or invalidate) my findings. I
> also like to think you might be able to learn something :)
>
> Thanks!
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> Internetworking & Security Engineer
> Dimension Enterprises Inc