Re: Sliding/Shifting/Morphing firewalls

[montenegro () nutec com br]

Hi!

If you already have the receiving end´s firewall to agree with you to
"dance" (either by port hopping or obfuscating traffic), why not just
"agree" on a firewall-to-firewall VPN and be done with it?

As for shifiting port numbers, that is quite interesting. The only concern
is that if the firewall runs a proxy for a service that uses high port
source numbers (I don't know of any off the top of my head, but there is
bound to be one out there...) you have to start paying attention to your
range selection for possible port numbers.

Cheers,
Fernando
--
Fernando da Silveira Montenegro     Nutec Servicos Corporativos
System/Network Consultant           Rua Florida, 1821/11th floor
mailto:montenegro () nutec com br      04565-001 - Sao Paulo, SP, BRAZIL
voice.:+55-11-5505-5728             http://www.nutec.com.br
fax...:+55-11-5505-1918             #include <disclaimer.h>





Please respond to "Stephen P. Berry" <spb () meshuga incyte com>
                                                              
                                                              
                                                              
 To:      "Stout, Bill" <StoutB () pioneer-standard com>         
                                                              
 cc:      firewall-wizards () nfr net(bcc: Fernando              
          Montenegro/Nutec Informatica)                       
                                                              
                                                              
                                                              
 Subject: Re: Sliding/Shifting/Morphing firewalls             
                                                              







-----BEGIN PGP SIGNED MESSAGE-----


Bill Stout <StoutB () pioneer-standard com>

> [...thinking...]  It reminds me of military spread-spectrum
> frequency-hopping radio systems which make it difficult to find
transmitting
> sites, however in the SSFH analogy, the radios 'danced' across the band
> (port numbers) with each other.  Come to think of it, It wouldn't be
> difficult to apply this technology to the Internet, where it may comprise
of
> a RAIDset of firewalls which talk to another RAIDset of firewalls and
> packets synchronously danced across IP addresses and port numbers [tm]...
> Dibs!  If anyone makes any money with this idea, I get royalties!  ;^)

I've used similar techniques for concealing (or obfuscating, anyway)
the movement of data from one place to another.  I.e., when I want
reasonably synchronous notification of some event from some sensor, but
don't want to advertise the fact that the sensor is looking for events
of that type.  In such situations, generating some decoy traffic is
generally useful.

If you're interested in muddying the waters beyond the portdancing
the RAID firewalls (firewobbles?) are doing, using some fraction
of the free bandwidth between them for decoy traffic might be
attractive---especially if you have any nagging concerns about
that PRNG you've got picking your ports for you.  Presumably your
protocoal for all this would include some mechanism for negotiating
the `what's and `where's for the decoy traffic---so you can distinguish
between decoy traffic and spoofed traffic.