Firewall Wizards mailing list archives
RE: TTL, works with Cisco ACL's to :)
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 11 Nov 2000 01:15:59 +0200
Further more, When the filtering device is generating the ICMP Error messages, in this case, it will give us a clear indication about the OS it is installed on. If you do not block the error messages than even if you have "transparent" networking or filtering devices along the way to the target they are exposed easily when you are using Firewalk like technique with an allowed traffic. For example a reverse proxy transparent to the void. And there are other examples. Its simply like Lance indicated, block the ICMP error messages from the filtering device as well. With Check Point Firewall-1 do 2 mandatory rules: First, do not allow any traffic to the firewall itself, Second one will be block any ICMP Error message coming from the filtering device to anywhere (yes anywhere! Internal and External). Put those as rule 1 and rule 2. Anotehr problem would be if the filtering device spoofs replies for machines it is protecting. This can lead to the discovery of the OS the filtering device is using as well. Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer." -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Lance Spitzner Sent: Friday, November 10, 2000 7:24 AM To: Alex Goldney Cc: nmap-hackers () insecure org; firewall-wizards () nfr com Subject: Re: [fw-wiz] TTL, works with Cisco ACL's to :) On Thu, 9 Nov 2000, Alex Goldney wrote:
I know a lot of sites don't do good egress filtering, and I guess that is the point that needs to be hammered home.....
Actually many sites do have egress filtering. However, the filtering device is filtering outbound traffic generated by the internal network. What many sites are NOT doing is egress filtering of traffic generated by the filtering device itself. The filtering device is trusted, so it is allowed to generate and send any traffic it wants to. That is why I belive the use of TTL within port scans can be effective against many filtering devices.
On Thu, 9 Nov 2000, Alex Goldney wrote:OK, so you aren't blocking any ICMP packets with access-lists. That should avoid the problem, no? Of course, it can be considered a bit unfriendly to block the lot. PATH MTU discovery stuff should be allowed at least in general. I guess that opens up the possiblility for the same type of attack if the MTU
for
one of your routers links is less than the MTU of the incoming internet link. This case should be pretty rare though.Keep in mind, many Firewalls/Screening Routers do not block ICMP error messages. Those that do block ICMP error messages block them inbound from the untrusted networks, such as the Internet, or block them inbound from internal networks. However, most rulebases/ACLs do NOT block ICMP error messages generated by the filtering device itself. Keep in mind, this is a generalization based on my experience. lance
-- Lance Spitzner http://www.enteract.com/~lspitz _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 08)
- <Possible follow-ups>
- Re: TTL, works with Cisco ACL's to :) Alex Goldney (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Alex Goldney (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 09)
- Re: TTL, works with Cisco ACL's to :) Alex Goldney (Nov 10)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 11)
- RE: TTL, works with Cisco ACL's to :) Ofir Arkin (Nov 12)
- Re: TTL, works with Cisco ACL's to :) Lance Spitzner (Nov 11)