IDS mailing list archives

Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

From: Mike Frantzen <frantzen () nfr com>
Date: Sun, 29 Aug 2004 22:21:35 -0400

On Aug 18, 2004, at 2:29 PM, Joel Snyder wrote:

To get into the firewall sweepstakes, you have to start with stateful 
packet inspection, not the weak crap you get for free in some freeware 
firewalls, but something that watches sequence numbers and the *full* 
TCP state machine, plus options, defragmentation, all that jazz.

A genuine (non-rhetorical) question:
Why do we think this is true?


This is going to be an extremely controversial answer that the security
purists probably will not like.  But they're fun to piss off so here goes.

The real benefit of a full fledged TCP state machine is knowing when to
expire an idle connection.  If we expire a connection too early, then
the next packet that comes in on it will appear to be a new connection
and several things may happen:
  1) it gets logged as a different connection
  2) it gets NATs to a different IP or port
  3) you lose the TCP window scale value
  4) the connection will break if you only allow state creation on a SYN
  5) any sequence number modulation will break the connection
  6) any TCP timestamp modulation will probably break the connection
  
When you know what state a connection is in, you can statistically
determine the timeouts.  For instance almost all SYNs are followed by a
SYN|ACK within 120 seconds.  The SYN|ACK will be followed by an ACK
within 30 seconds....

What are the security benefits of watching sequence numbers, the TCP 
state machines, and options? (Sidenote: someone should do a quick study 
to see how many "stateful firewalls" properly implement TCP PAWS --- 
like every modern OS TCP stack does).


Lol.  Dug Song and his love of PAWS is rubbing off on you.

But ya, I implemented PAWS checks in OpenBSD's PF as an interaction
between the scrubber and the TCP state code.  Was able to use the
timestamp as an extension of the sequence numbers to make blind data
injection much harder.  We know that the TCP timestamp will be less than
the last value echoed by the other endhost (conventional PAWS).  But the
trick is that the RFC limits the timestamp clock to 1KHz max so we know
the timestamp will not have increased by more than 1,000 * idle seconds.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

Current thread:

Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Jacob Winston (Aug 18)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Ron Gula (Aug 19)
  - RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Gary Halleen (Aug 19)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Rob Shein (Aug 20)
  - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) M. Dodge Mumford (Aug 20)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Shaiful (Aug 24)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Srini (Aug 20)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Joel Snyder (Aug 20)
  - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Thomas Ptacek (Aug 25)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 29)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) nick black (Aug 30)
    - Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Mike Frantzen (Aug 30)
- Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Greg Shipley (Aug 30)
- <Possible follow-ups>
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Fulp, J.D. USA (Aug 18)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Brito, Nelson (ISS Brazil) (Aug 20)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Jose Maria Lopez (Aug 30)
- RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) Bob Walder (Aug 31)