Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions

[Andre Delafontaine <andre.delafontaine () ECHOSTAR COM>]

I have been thinking about this exact same problem lately.

The easiest way I can think of getting around this kind of setup would
be to get the server to download and execute some nasty code by having
it visit some website (JPEG header buffer overflow in Netscape?), view
some email (Outlook attachement handling problems?) or some similar
method of inderectly contacting the server.

Once the server executes the nasty code, have it discover the NAT'ed
protocols and initiate a connection through the firewall (data tunneling
through ICMP, http, DNS, ... See recent posts on BugTraq and on this
list) to some external host that would "remote control" the inside
server.

You do say that your setup contains a server. Is that server available
from the Internet at all? Does it serve some protocol (http, ftp)? If
so, then the firewall is doing portforwarding and won't protect that
particular service from "good-looking" traffic, i.e. traffic that passes
Stateful Packet Inspection: how can SPI know that web sever X can't
support a get request with a filename longer than Y characters without
overflowing a buffer? If we knew about the vulnerability, it would be
fixed in the server itself.

This said, this setup does offer much better protection than no firewall
at all :-)


Just me 2c,

Andre
--
Last yeer I kudn't spel Engineer.  Now I are won.

             andre.delafontaine at echostar.com

  F20 DSS: BD75 66D9 5B2C 66CE 9158  BB27 B199 59CE D117 4E9F
   F16 RSA: F8 04 FE 50 02 B5 03 02  F6 87 C7 8D F9 2E B8 58