Firewall Wizards mailing list archives

Re: Crafted Packets Handling by Firewalls

From: "Aaron D. Turner" <aturner () vicinity com>
Date: Wed, 19 Jan 2000 15:56:04 -0800 (PST)


Much of why this is possible with FW-1 is explained in Lance
Spitzner's FW-1 State Table whitepaper:

http://www.enteract.com/~lspitz/fwtable.html

Short version is:

Checkpoint didn't want "authorized" connections to be dropped due to a
firewall restart.  Since the state table get's wiped out during a:

fwstop;fwstart

FW-1 needed a way to reconstruct the connections in the table so that
existing sessions wouldn't be terminated.  Hence the need for traffic
such as a Syn-Ack to be allowed through. From what I understand, there
is a way to disable this via Inspect, however I'll be first to admit
that Inspect is poorly documented at best.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Wed, 19 Jan 2000, Ofir Arkin wrote:

Most Firewalls will not check for the accuracy of the packet.

For example: CheckPoint Firewall-1 

Assume port 80 is open to the www server. It lets a SYN-ACK 
packet go throw  when no SYN was first sent from the probing host. 
SYN-ACK is not the only example, SYN-FIN, RST , FIN,
FIN-ACK basically any TCP flag crafted packet.

This is known and not new. But why a "state full" firewall does 
not check for this behavior?

The question is why firewalls do not check for accuracy of
some TCP/IP suite traffic.

This is a BASIC thing to check.

I am not arguing that a firewall should validate all traffic
but it should at least check for abnormalities that are so 
obvious.

This should also eliminate some of the OS detection
methods. 

Sure you can avoid some of the OS detection methods by tweaking 
your open source kernel. I agree with Sipmle Nomad.

But what can you do when you are not dealing with open source?


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ofir Arkin                      Tel: 972-3-5587001     
Security QA Manager    Fax: 972-3-5587003
Packet Technologies     http://www.packet-technologies.com
                                   ofir () packet-technologies com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Current thread:

Crafted Packets Handling by Firewalls Ofir Arkin (Jan 19)
- Re: Crafted Packets Handling by Firewalls Aaron D. Turner (Jan 20)
- Re: Crafted Packets Handling by Firewalls Darren Reed (Jan 20)
- <Possible follow-ups>
- Re: Crafted Packets Handling by Firewalls Ryan Russell (Jan 20)
- Re: Crafted Packets Handling by Firewalls Steve . Bleazard (Jan 20)