Firewall Wizards mailing list archives
Re: Crafted Packets Handling by Firewalls
From: Steve.Bleazard () wdr com
Date: Thu, 20 Jan 2000 15:45:45 +0800
One of the reasons CP passes such packets is closely linked with high availability. Trying to fully maintain state across two machines so that auto failover works is too hard. To filter and still allow HA, CP must allow all TCP flag states thro' at all times. They could of course have an option to track the connection state when not in a HA config. I guess histerical raisens come into the picture here. Steve ______________________________ Reply Separator _________________________________ Subject: Crafted Packets Handling by Firewalls Author: ofir (ofir () packet-technologies com) at unix/o2=mime Date: 19/1/00 4:30 PM Most Firewalls will not check for the accuracy of the packet. For example: CheckPoint Firewall-1 Assume port 80 is open to the www server. It lets a SYN-ACK packet go throw when no SYN was first sent from the probing host. SYN-ACK is not the only example, SYN-FIN, RST , FIN, FIN-ACK basically any TCP flag crafted packet. This is known and not new. But why a "state full" firewall does not check for this behavior? The question is why firewalls do not check for accuracy of some TCP/IP suite traffic. This is a BASIC thing to check. I am not arguing that a firewall should validate all traffic but it should at least check for abnormalities that are so obvious. This should also eliminate some of the OS detection methods. Sure you can avoid some of the OS detection methods by tweaking your open source kernel. I agree with Sipmle Nomad. But what can you do when you are not dealing with open source? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ofir Arkin Tel: 972-3-5587001 Security QA Manager Fax: 972-3-5587003 Packet Technologies http://www.packet-technologies.com ofir () packet-technologies com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
Current thread:
- Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)