Firewall Wizards mailing list archives
Re: Firewall comparison in Data Communications
From: Chris Brenton <cbrenton () sover net>
Date: Wed, 02 Jun 1999 07:05:04 -0400
Brian Steele wrote:
<newbie-mode>What's a "source-routed packet"? And what danger does it pose to a Firewall?</newbie-mode>
From: http://www.geek-speak.net/papers/Fwfaq2.htm What is source routed traffic and why is it a threat? Normally the path a packet follows from its source to destination is determined by the routers between these two systems. The packet itself only says where it wants to go (the destination IP address), and nothing about how it expects to get there. There is an optional way for the transmitting system (the source) to include information in the packet that identifies the route the packet should follow in order to get to its destination; thus the name "source routing." For a firewall, source routing is noteworthy since an attacker can generate traffic claiming to be from a system "inside" the firewall, even though the transmitting system is located out on the Internet (referred to as IP spoofing). The source routing information would then be used in reverse in order to return the reply to the attackerÂ’s machine out on the Internet. Implementing such an attack is very easy; so firewall builders should not discount it as unlikely to happen. In practice source routing is not popular. In fact, the legitimate use is in debugging network problems or routing traffic over specific links for congestion control for specialized situations. When building a firewall, all source routing should be blocked. Most commercial routers incorporate the ability to block source routing specifically, and many versions of UNIX that might be used to build a firewall bastion have the ability to disable or ignore source routed traffic. Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Re: Firewall comparison in Data Communications Matt Curtin (Jun 01)
- <Possible follow-ups>
- RE: Firewall comparison in Data Communications Brian Steele (Jun 01)
- RE: Firewall comparison in Data Communications Ray Hooker (Jun 02)
- RE: Firewall comparison in Data Communications David T. Smith (Jun 03)
- RE: Firewall comparison in Data Communications Alexander Schreiber (Jun 03)
- Re: Firewall comparison in Data Communications Chris Brenton (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 02)
- RE: Firewall comparison in Data Communications David Newman (Jun 02)
- RE: Firewall comparison in Data Communications Kevin Steves (Jun 14)
- RE: Firewall comparison in Data Communications W J La Cholter (Jun 03)
- Re: Firewall comparison in Data Communications Don Kendrick (Jun 03)
- RE: Firewall comparison in Data Communications Russ (Jun 03)
- RE: Firewall comparison in Data Communications csingletary (Jun 03)
- RE: Firewall comparison in Data Communications Rob Polansky (Jun 04)
- Re: Firewall comparison in Data Communications Steven M. Bellovin (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 03)
(Thread continues...)