RE: TTL, works with Cisco ACL's to :)

["Ofir Arkin" <ofir () itcon-ltd com>]

Further more,

When the filtering device is generating the ICMP Error messages, in this
case,
it will give us a clear indication about the OS it is installed on.

If you do not block the error messages than even if you have "transparent"
networking or filtering
devices along the way to the target they are exposed easily when you are
using Firewalk like technique
with an allowed traffic. For example a reverse proxy transparent to the
void. And there are other examples.

Its simply like Lance indicated, block the ICMP error messages from the
filtering device as well.
With Check Point Firewall-1 do 2 mandatory rules: First, do not allow any
traffic to the firewall itself, Second one
will be block any ICMP Error message coming from the filtering device to
anywhere (yes anywhere! Internal
and External). Put those as rule 1 and rule 2.

Anotehr problem would be if the filtering device spoofs replies for machines
it is protecting. This can
lead to the discovery of the OS the filtering device is using as well.


Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."


-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Lance Spitzner
Sent: Friday, November 10, 2000 7:24 AM
To: Alex Goldney
Cc: nmap-hackers () insecure org; firewall-wizards () nfr com
Subject: Re: [fw-wiz] TTL, works with Cisco ACL's to :)


On Thu, 9 Nov 2000, Alex Goldney wrote:

> I know a lot of sites don't do good egress filtering, and I guess that is
> the point that needs to be hammered home.....

Actually many sites do have egress filtering.  However, the filtering device
is filtering outbound traffic generated by the internal network.  What many
sites are NOT doing is egress filtering of traffic generated by the
filtering
device itself.  The filtering device is trusted, so it is allowed to
generate
and send any traffic it wants to.  That is why I belive the use of TTL
within
port scans can be effective against many filtering devices.

> On Thu, 9 Nov 2000, Alex Goldney wrote:
>
> > OK, so you aren't blocking any ICMP packets with access-lists.
> > That should avoid the problem, no?  Of course, it can be considered
> > a bit unfriendly to block the lot.
> >
> > PATH MTU discovery stuff should be allowed at least in general.  I guess
> > that opens up the possiblility for the same type of attack if the MTU
for
> > one of your routers links is less than the MTU of the incoming internet
> > link.  This case should be pretty rare though.
>
> Keep in mind, many Firewalls/Screening Routers do not block ICMP error
> messages.  Those that do block ICMP error messages block them inbound from
> the untrusted networks, such as the Internet, or block them inbound from
> internal networks.  However, most rulebases/ACLs do NOT block ICMP error
> messages generated by the filtering device itself.
>
> Keep in mind, this is a generalization based on my experience.
>
> lance

--
Lance Spitzner
http://www.enteract.com/~lspitz


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards