Re: Firewall comparison in Data Communications

[Chris Brenton <cbrenton () sover net>]

Brian Steele wrote:
> <newbie-mode>What's a "source-routed packet"?  And what danger does it pose
> to a Firewall?</newbie-mode>

From:
http://www.geek-speak.net/papers/Fwfaq2.htm

What is source routed traffic and why is it a threat? 
Normally the path a packet follows from its source to destination is
determined by the routers between these two systems. The packet itself
only says where it wants to go (the destination IP address), and nothing
about how it expects to get there. 

There is an optional way for the transmitting system (the source) to
include information in the packet that identifies the route the packet
should follow in order to get to its destination; thus the name "source
routing." For a firewall, source routing is noteworthy since an attacker
can generate traffic claiming to be from a system "inside" the firewall,
even though the transmitting system is located out on the Internet
(referred to as IP spoofing). The source routing information would then
be used in reverse in order to return the reply to the attacker’s
machine out on the Internet. Implementing such an attack is very easy;
so firewall builders should not discount it as unlikely to happen. 

In practice source routing is not popular. In fact, the legitimate use
is in debugging network problems or routing traffic over specific links
for congestion control for specialized situations. When building a
firewall, all source routing should be blocked. Most commercial routers
incorporate the ability to block source routing specifically, and many
versions of UNIX that might be used to build a firewall bastion have the
ability to disable or ignore source routed traffic. 

Cheers,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet