Firewall Wizards mailing list archives
Re: dirty packet tricks?
From: wolt () igd fhg de (Stephen D. B. Wolthusen)
Date: 11 Jul 2002 18:33:33 +0200
Hi, Ryan Russell <ryan () securityfocus com> writes: [...]
Wow, that's..not normal. OK. So, you want to build a hijacking router. So what do the route tables and subnet masks on the client machines look like, in theory? The clients have to believe that there is some route to the Internet, or they won't ever bother trying to get there. They either have to believe the Internet is all on the local segment (subnet mask 0.0.0.0, probably not workable..) or they have to think that it's through another router. I have to assume that if you don't want your transparent proxy thing to be the "official" router, then there must be another router, which means you must have multiple local subnets. Your firewall will have to have the ability to suck packets off all subnets you want to be able to reach the Internet, or have multiple ones, etc...
... phrased like that it is starting to sound a lot like a souped-up switch (OK, multiport bridge). Sane switches treat multiple ARP responses (MAC addresses) as fault conditions and isolate the port the offending frames came from, so this probably won't go very far in most modern networks. To catch all traffic (statically configured media address resolution tables aren't that rare, it will save you a lot of headaches in some fault-tolerant/clustered environments) and still meet the original requirement, the firewall/monitor effectively has to act as a multiport bridge (Lucent did this some years back and sell such a thing - if they're still around by the time I'm writing this). This means the usual bandwidth issues in switched/fabric environments, but the best bet probably hacking up the switch OS, make port/VLAN mirroring a two-way street and then do whatever you need on a host attached to the mirroring patch. That's uglier than Saddam's hairy butt, and one of the reasons why distributed firewalling/ID is probably the only way out of the bandwidth mess (among others). Now there's some flame bait. -- later, Stephen Fraunhofer-IGD | mailto: Stephen Wolthusen | wolt () igd fhg de Fraunhoferstr. 5 | swolthusen () acm org 64283 Darmstadt | swolthusen () ieee org GERMANY | stephen () wolthusen com | Tel +49 (0) 6151 155 539 | Fax: +49 (0) 6151 155 499 +49 (0) 172 916 9883 | +49 (0) 6245 905 366 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Nate Campi (Jul 11)
- Re: dirty packet tricks? Charles Swiger (Jul 11)
- Re: dirty packet tricks? Frank Knobbe (Jul 12)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? John McDermott (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- <Possible follow-ups>
- Re: dirty packet tricks? Dana Nowell (Jul 12)