Security Basics mailing list archives

RE: 192.168.x.x oddities

From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Wed, 23 Jun 2004 17:01:18 -0400

Being a security-basics list, I feel the need to point something out
here.  I've forgotten if it was ISS, or IBM, or maybe even Gartner which
stated that somewhere near 60 percent of the firewalls deployed are
deployed incorrectly.  This is highlighted by the topic of conversation
below.

When configuring firewall rules, it is imperative to lock networks to
appropriate interfaces.  I believe that most of the "misconfigured"
firewalls out there are the ones that fail to do this.  Forgive my
overly simplistic psuedo-firewall-rules below:

Bad config (assuming rules match in order):

Allow           192.168.x.x     any-destination
list-of-ports-and-services
Drop-log        anywhere                anywhere
any-ports-services

At a glance, this looks safe, because we're using pessimistic security.
Drop everything, allow only what we want.  But, if someone on the
outside manages to generate a packet using our internal IP netblock, it
might be possible to get a packet passed from the outside, right on
through to the inside.  From a pure layer3 standpoint (routing issues
aside...) the firewall rules above do nothing to prevent such an attack.

A much safer config might be as such:

Allow           192.168.x.x             any-destination
list-of-ports-and-services      ORIGINATES-INTERNAL-INTERFACE
Drop-log        anywhere                anywhere
any-ports-services              any-interface

If a firewall is configured to do this, martians appearing with sources
in 192.168.x.x coming from an untrusted interface (say, the one pointed
at the internet) will just get dropped and logged anyway.  Problem
solved, no?

Answer to the below is NO.  You could change your internal 
network to 10.x.x.x instead of 192.x.x.x if that makes you 
feel more secure.

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

RE: 192.168.x.x oddities, (continued)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
  - Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
  - RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
    - Re: 192.168.x.x oddities steve (Jun 23)
    - RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)