Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (AG vs. SPF)
From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 30 Jun 1998 13:49:21 -0700
And so on, and so forth.
It will be difficult for us to discuss the tradeoffs between packet filtering and proxying if we cannot agree on definitions. Your definition of stateful filtering:
Know what the difference between an AG and an SPF is? The AG allocates the socket from the OS. The SPF allocates the connection from itself. If one wants to write an SPF that answers the system calls that allocate sockets, you can have all the security you like at the application layer, and get the extra security available with a really well written SPF. Anyone know how
... is very far removed from my definition, which is "a device which filters packets". The basic concern I have with your argument at this point is that much of what you suggest as an improvement for a stateful filter would turn the machine into a proxy.
I understand that a stateful filter can reassemble fragments. However, by my definition, as soon as the firewall collects and reassembles fragments, and transmits the reassembled fragment, it has ceased "filtering" --- the firewall did not allow any external traffic through, but rather interpreted the packets itself and sent the internal hosts it's interpretation. This is a defining difference between a packet filter and a proxy.
If I may read a little into what I think you're trying to say.... As soon as an SPF does something like fragment reassembly or buffering a couple packets, it's now a proxy. All it's allowed to do is look at one packet at a time, and forward it, possibly using some flag it set based on previous packets. Fair? This is regardless of whether or not it uses the IP stack of the host OS. If that's the case, then there aren't any SPF firewalls on the market. Any SPF firewall that wants to sell a copy has to handle FTP. If they want to handle FTP, then they have to be able to buffer enough of the datastream to get and modify the port command. If what you say is the case, then Checkpoint is making AGs look really bad. I still like my definition better: An AG relies on a traditional IP stack (good, bad, hardened, indifferent) and SPFs don't. AGs allocate sockets from the OS, and SPFs don't. AGs get to take advantage of the properties of the IP stack (good or bad) and SPFs have to create the same functionality themselves.
Your concern with application gateways is that they have increased vulnerability to attacks against their own IP stack. This is a valid point. However, you must keep in mind that this vulnerability is a result of the fact that the A-G needs more code to function than a typical stateful filter. As you add more code to a stateful filter, to make it approximate normal IP stacks, strip off protocol data, or reassemble fragments, you make the filter more like a proxy, with all the attendant risks.
Yup. The bigger the codebase, the better the chance you'll screw up. Perhaps there is some advantage to being able to choose a weaker checker if one feels the protocol warrants it, i.e. the equivalent of a circuit-level proxy.
Now, my concern with a firewall implementation doesn't linger too long on the security of the firewall's own IP stack --- not because this isn't an issue, but because it's a simplifying assumption for my research that a given firewall is implemented carefully enough so that it isn't vulnerable to direct attacks.
So you like the IP stack as an arbitrary abstration layer.
If the security of the firewall machine itself is more of a concern to you than the overall security of the network with the firewall installed on it, you may have a valid reason to distrust application gateways, as opposed to simple stateful filters. Personally, I think the firewall's effectiveness at it's job is more important.
I'd like both, but if the firewall gets compromised, I'm totally screwed. If one inside machine gets compromised, I may not be screwed quite as bad. If lots of inside machines get compromised, I'm probably as screwed as if the firewall got compromised. SPFs will tend to be an all-or-nothing proposition. AGs will tend to be split along the line of IP stack problems on the gateway, vs. bad protocol checking at the AG level. Which is appropriate depends on your risk assesment. Currently, AG vendors have the advantage that they've been doing it longer, and the good ones seem to care about checking data better.
Your argument continues with some poor assumptions, which I'll point out but try not to linger on:
So... if there was some IP-layer root compromise was discovered, the machine running the AG would get compromised. For a bad
An SPF doesn't have to know how to deal with every IP stack it protects.
It absolutely does. Remember, a defining difference between filtering and
.proxying is that in filtering, original packets are forwarded to internal
hosts. This forwarding is "guarded" by a filtering engine which attempts to make determinations about the implications of each packet. If the filtering engine does not know how an end-system will react to a given packet, it has a reduced capability to make conclusions about the security of the packet.
That's your definition of SPF. I reserve the capability to rebuild the entire packet as part of my definition of SPF. None do this well currently. I think most people would call FW1 and PIX SPF products (leaving out the AGs that FW-1 can also use) and they can rebuild packets.
There are two different outcomes of this problem: either the filter will, as a precaution, block any ambiguous traffic it sees, thus damaging connectivity by filtering legitimate traffic, or it will allow ambiguous traffic to be forwarded, thus damaging the security of the network by allowing packets with unknown implications to be forwarded.
Or rebuild the packets, or buffer until they get later packets.
An SPF filter that does "the same job" as a proxy is a proxy. There is no way to do the same job as a proxy without becoming an endpoint in network communication (in other words, generating your own traffic to send).
It's quite possible to do the job of a proxy (if you define it as the resulting bits on the wire) with an SPF. Why not?
With a bad SPF, sure. Again, I claim that SPFs can do as much, or
more,
than "real" IP stacks.
I don't understand the logic behind this assertion. By definition, a packet filter does less than an IP stack. IP stacks have free rein to do whatever they want with traffic.
I phrased that badly. What I meant to say is that a good SPF can take into account things all the way down to layer 1, and up to layer 7. So, an AG can't make any decisions about forwarding a connection based on stuff below layer 5 typically. For example, take winnuke. An AG would automatically strip off the URG flag, and pass the data into the protected NT box. The NT box would be fine, since it didn't get the URG flag. The AG also can't record the fact that someone tried to winnuke your NT box. The SPF could.
But any AG running on NT with the MS stack was?
No, even A-G's running on NT did not create this vulnerability. The reason this NT fragmentation bug was a serious security problem was because it allowed fragments to be forwarded through firewalls without having their security implications properly evaluated. Even on NT, an application gateway doesn't forward fragments. While it is possible to send an invalid stream of fragments to an NT A-G and have them reassembled, this does not impact the security of the network.
My question was: Would the NT box, running the AG software, using the default MS IP stack, crash?
I imagine the IDS vendors will have to start assembling fragments, and checking for valid frag pointers. Are you implying that they can't, won't, or it's too hard?
Yes. See http://www.secnet.com/ids for a 60+ page technical report that explains why we think it is "too hard" for a sniffer-based IDS to perform tasks like fragmentation reassembly accurately. Key point: there are pathological fragmentation streams which will be reassembled in two different ways by two different stacks. Again, exploitable inconsistancy.
I'll re-read it. I only skimmed it before. I can see you point about different stacks reassembling different ways. From an IDS point of view, would it only be "illegal" fragment streams that have the behavior of reassembling deifferently on different machines? If so, could the IDS always flag that as an intrution attempt? For firewall purposes, is there always a "right" way to reassemble fragments? If they fragments won't reassemble properly because of someone diddling with the pointers, would it not always be a good idea to drop those?
Then why does it matter if the security is in two seperate pieces.. IP stack and AG code, versus one piece, well written SPF?
Because you are comparing apples to oranges, and confusing the comparison by putting it the context of an implementation question, which has little to do with this argument.
You seemed to indicate that some extra security was gained from having this abstraction layer of IP stack and proxy software, as opposed to a one-piece solution. This appeared to me to be an implementation issue. You've since clarified, and claim the if the SPF hangs onto a packet, it's now an AG, so I can more easily see why you make the distinction. Ryan
Current thread:
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jun 29)
- Re: Proxy 2.0 secure? (AG vs. SPF) tqbf (Jun 30)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jun 30)
- Re: Proxy 2.0 secure? (AG vs. SPF) tqbf (Jun 30)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jun 30)