Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Differences between firewall-packages like FW-1 and packetfilter

From: Chris Brenton <cbrenton () sover net>
Date: Tue, 16 May 2000 07:44:05 -0400
"Wigg, Guy G" wrote:


The big difference for me is the logging ability. FW-1 only logs the
first packet, does not report header info beyond IP & port numbers,

and

in some cases lies about what it lets through and what it does not.


Chris, what do you mean FW-1 lies about what it lets through in some
cases, do you have examples of this?


You mean besides any Properties traffic that always passes unlogged? ;)

Given the Inspect chat in the last post, let me use an example that
revolves around what can happen if you make Inspect modifications:

let's say you want to support Citrix's ICA traffic which uses a
destination port of TCP/1494 and sends a predefined tag in each payload.
Let's further assume that you want to be able to key in on this tag to
prevent people from connecting via Telnet, Netcat, etc. in order to look
for potential overflow weaknesses. Sure you could just blow a hole open
through TCP/1494, but you want to leverage Inspect in order to lock down
the connection even further (that's what you paid $12K for, right? ;).

So you hack Inspect and tell it to look for the ICA tag when passing
traffic on TCP/1494. Reload the firewall and you're ready for testing.

First thing you try is "telnet metaframe_server 1494" to see if the
connection gets dumped. If you check the log file, the connection is
listed as accepted. Why? Because FW-1 only logs the initial SYN=1
packet. Since _every_ TCP application talking to this port is going to
start with a SYN=1, every session is going to appear to be accepted.
This means that I could try to bang away at your Citrix system using
Netcat till I get the tag right and you will think I'm using a real
client because all traffic is logged as accepted. Its almost as if CP
never expected anyone to actually _use_ Inspect. ;)

Can you fix this? Sure. The one hack I've found is to tweak Inspect so
that it logs the session, not the handshake. The problem here is that
you will now miss SYN scans going to any port (its a global tweak, not a
per protocol tweak).

The real "weakness" here is the logging of the first packet but not the
rest of the session. If things change after the first packet, you don't
see it. 

HTH,
Chris
-- 
**************************************
cbrenton () sover net

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
Previous By Date Next
Previous By Thread Next

Current thread: