Firewall Wizards mailing list archives
Re: Crafted Packets Handling by Firewalls
From: "Aaron D. Turner" <aturner () vicinity com>
Date: Wed, 19 Jan 2000 15:56:04 -0800 (PST)
Much of why this is possible with FW-1 is explained in Lance Spitzner's FW-1 State Table whitepaper: http://www.enteract.com/~lspitz/fwtable.html Short version is: Checkpoint didn't want "authorized" connections to be dropped due to a firewall restart. Since the state table get's wiped out during a: fwstop;fwstart FW-1 needed a way to reconstruct the connections in the table so that existing sessions wouldn't be terminated. Hence the need for traffic such as a Syn-Ack to be allowed through. From what I understand, there is a way to disable this via Inspect, however I'll be first to admit that Inspect is poorly documented at best. -- Aaron Turner aturner () vicinity com 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com On Wed, 19 Jan 2000, Ofir Arkin wrote:
Most Firewalls will not check for the accuracy of the packet. For example: CheckPoint Firewall-1 Assume port 80 is open to the www server. It lets a SYN-ACK packet go throw when no SYN was first sent from the probing host. SYN-ACK is not the only example, SYN-FIN, RST , FIN, FIN-ACK basically any TCP flag crafted packet. This is known and not new. But why a "state full" firewall does not check for this behavior? The question is why firewalls do not check for accuracy of some TCP/IP suite traffic. This is a BASIC thing to check. I am not arguing that a firewall should validate all traffic but it should at least check for abnormalities that are so obvious. This should also eliminate some of the OS detection methods. Sure you can avoid some of the OS detection methods by tweaking your open source kernel. I agree with Sipmle Nomad. But what can you do when you are not dealing with open source? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ofir Arkin Tel: 972-3-5587001 Security QA Manager Fax: 972-3-5587003 Packet Technologies http://www.packet-technologies.com ofir () packet-technologies com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)