Firewall Wizards mailing list archives
Re: Sliding/Shifting/Morphing firewalls
From: montenegro () nutec com br
Date: Thu, 11 Feb 1999 16:01:41 -0300
Hi! If you already have the receiving end´s firewall to agree with you to "dance" (either by port hopping or obfuscating traffic), why not just "agree" on a firewall-to-firewall VPN and be done with it? As for shifiting port numbers, that is quite interesting. The only concern is that if the firewall runs a proxy for a service that uses high port source numbers (I don't know of any off the top of my head, but there is bound to be one out there...) you have to start paying attention to your range selection for possible port numbers. Cheers, Fernando -- Fernando da Silveira Montenegro Nutec Servicos Corporativos System/Network Consultant Rua Florida, 1821/11th floor mailto:montenegro () nutec com br 04565-001 - Sao Paulo, SP, BRAZIL voice.:+55-11-5505-5728 http://www.nutec.com.br fax...:+55-11-5505-1918 #include <disclaimer.h> Please respond to "Stephen P. Berry" <spb () meshuga incyte com> To: "Stout, Bill" <StoutB () pioneer-standard com> cc: firewall-wizards () nfr net(bcc: Fernando Montenegro/Nutec Informatica) Subject: Re: Sliding/Shifting/Morphing firewalls
-----BEGIN PGP SIGNED MESSAGE----- Bill Stout <StoutB () pioneer-standard com>
[...thinking...] It reminds me of military spread-spectrum frequency-hopping radio systems which make it difficult to find
transmitting
sites, however in the SSFH analogy, the radios 'danced' across the band (port numbers) with each other. Come to think of it, It wouldn't be difficult to apply this technology to the Internet, where it may comprise
of
a RAIDset of firewalls which talk to another RAIDset of firewalls and packets synchronously danced across IP addresses and port numbers [tm]... Dibs! If anyone makes any money with this idea, I get royalties! ;^)
I've used similar techniques for concealing (or obfuscating, anyway) the movement of data from one place to another. I.e., when I want reasonably synchronous notification of some event from some sensor, but don't want to advertise the fact that the sensor is looking for events of that type. In such situations, generating some decoy traffic is generally useful. If you're interested in muddying the waters beyond the portdancing the RAID firewalls (firewobbles?) are doing, using some fraction of the free bandwidth between them for decoy traffic might be attractive---especially if you have any nagging concerns about that PRNG you've got picking your ports for you. Presumably your protocoal for all this would include some mechanism for negotiating the `what's and `where's for the decoy traffic---so you can distinguish between decoy traffic and spoofed traffic.
Current thread:
- Re: Sliding/Shifting/Morphing firewalls, (continued)
- Re: Sliding/Shifting/Morphing firewalls Chris Cappuccio (Feb 10)
- Re: Sliding/Shifting/Morphing firewalls cbrenton (Feb 10)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 10)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Safier, Adam (GEIS) (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls cbrenton (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls Joseph S D Yao (Feb 12)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls montenegro (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Safier, Adam (GEIS) (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls ark (Feb 12)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 12)