Firewall Wizards mailing list archives

Re: dirty packet tricks?

From: wolt () igd fhg de (Stephen D. B. Wolthusen)
Date: 11 Jul 2002 18:33:33 +0200


Hi,

Ryan Russell <ryan () securityfocus com> writes:

[...]

Wow, that's..not normal.  OK.  So, you want to build a hijacking router.
So what do the route tables and subnet masks on the client machines look
like, in theory?  The clients have to believe that there is some route to
the Internet, or they won't ever bother trying to get there.  They either
have to believe the Internet is all on the local segment (subnet mask
0.0.0.0, probably not workable..) or they have to think that it's through
another router.  I have to assume that if you don't want your transparent
proxy thing to be the "official" router, then there must be another
router, which means you must have multiple local subnets.  Your firewall
will have to have the ability to suck packets off all subnets you want to
be able to reach the Internet, or have multiple ones, etc...


... phrased like that it is starting to sound a lot like a souped-up switch
(OK, multiport bridge). Sane switches treat multiple ARP responses (MAC
addresses) as fault conditions and isolate the port the offending frames
came from, so this probably won't go very far in most modern networks.

To catch all traffic (statically configured media address resolution tables
aren't that rare, it will save you a lot of headaches in some
fault-tolerant/clustered environments) and still meet the original
requirement, the firewall/monitor effectively has to act as a multiport
bridge (Lucent did this some years back and sell such a thing - if they're
still around by the time I'm writing this). This means the usual bandwidth
issues in switched/fabric environments, but the best bet probably hacking
up the switch OS, make port/VLAN mirroring a two-way street and then do
whatever you need on a host attached to the mirroring patch.

That's uglier than Saddam's hairy butt, and one of the reasons why
distributed firewalling/ID is probably the only way out of the bandwidth
mess (among others). Now there's some flame bait.

-- 
        later,
        Stephen

Fraunhofer-IGD                 | mailto:
Stephen Wolthusen              | wolt () igd fhg de
Fraunhoferstr. 5               | swolthusen () acm org
64283 Darmstadt                | swolthusen () ieee org
GERMANY                        | stephen () wolthusen com
                               | 
Tel +49 (0) 6151 155 539       | Fax: +49 (0) 6151 155 499 
    +49 (0) 172 916 9883       |      +49 (0) 6245 905 366 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
  - Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
    - Re: dirty packet tricks? Ryan Russell (Jul 11)
    - Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
    - Re: dirty packet tricks? Ryan Russell (Jul 11)
    - Re: dirty packet tricks? Nate Campi (Jul 11)
    - Re: dirty packet tricks? Charles Swiger (Jul 11)
    - Re: dirty packet tricks? Frank Knobbe (Jul 12)
    - Re: dirty packet tricks? John McDermott (Jul 11)
    - Re: dirty packet tricks? Ryan Russell (Jul 11)
- <Possible follow-ups>
- Re: dirty packet tricks? Dana Nowell (Jul 12)