Firewall Wizards mailing list archives
Re: How stateful is stateful inspection?
From: "Sean Costello" <xlate () home com>
Date: Wed, 14 Jul 1999 06:55:06 -0500
Lance, the only attacks I'm currently aware of using mangeled seq & ack #'s in the packet also heavily relies on an OS's inability to deal with packet fragmentation (la tierra I think...? something like that...). FW1 inherently will not route a fragmented packet before it has been fully reassembled. This is known as the fragmentation engine and provides inherent protection against things like the PING of death and so on. In summary it eliminates any one of many exploitations of various vendors poorly desisigned reassembly mechanisms. I don't know of any attacks which soley rely on the just ability to manipulate the seq's & ack's so as to get anything more than a rst connection. Nor can I determine that any more damage can be done than they are inherently able to cause just by virtue of having a given port connection. I realise that it isn't the most secure point of view but it seems that any alternative would inccure an extremely high price in performance and overhead. Couldn't an IDS system key on the inevitable and numerous RST's generated by a protected client. If more than two or three resets occure on a given clients connection. Seq & acks could then be sampled to assure the integrity and legitimacy of a connection which was deemed as suspicous. Once confirmed the suspect connections could then be reported to the SAM and removing them as a potential threat. This seems to me to be the far more efficient means of locking down and reporting any attempt for abusing these attributes. just my two-cents... Sean Costello Network Engineer xlate () iname com -----Original Message----- From: Lance Spitzner <spitzner () dimension net> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Friday, July 09, 1999 6:53 PM Subject: How stateful is stateful inspection?
Recently I've been doing alot of research into how stateful inspection works, specifically on CP FW-1. I was hoping some of you FW-1 savay firewall-wizards could review the whitepaper I posted and give it a sanity check. I developed a PERL script that takes the FW connections table and outputs it into human readable form. I then built a variety of different packets and sent them through the firewall. With the PERL script, I was able to see how connections were established and maintained in the state table. All results and source code can be found at http://www.enteract.com/~lspitz/fwtable.html I'm hoping to validate (or invalidate) my findings. I also like to think you might be able to learn something :) Thanks! Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- How stateful is stateful inspection? Lance Spitzner (Jul 09)
- <Possible follow-ups>
- Re: How stateful is stateful inspection? Sean Costello (Jul 13)
- Re: How stateful is stateful inspection? David Lang (Jul 14)
- Re: How stateful is stateful inspection? Sean Costello (Jul 14)
- Re: How stateful is stateful inspection? David Lang (Jul 14)