Firewall Wizards mailing list archives

Re: stealth firewalls

From: Valerie Anne Bubb <Valerie.Bubb () Sun COM>
Date: Fri, 18 Jan 2002 11:39:18 -0800 (PST)

From: ark () eltex ru

VPN peers are not required to be visible from VPN itself.

You can build a bridge that will take packet from (bridging) interface 0 on
machine A, encapsulate and encrypt it, send it via interface 1 to machine B's 
interface 1, that will decrypt it and send out via interface 0 on machine B,
and vice versa.


True, but anytime a bridge or stealth firewall is doing tunneling
(usually the case for VPN), the "stealth" device has to touch the
packet - which makes it less stealthy.  (same is true if the device
is doing NAT)   The device will leave a fingerprint, such as a modified
MAC, that to the watchful eye will show that there is a bridging
device between the networks.   

NOTE: the IP address used in the tunnel does not actually "belong"
to the stealth device, it is simply an otherwise unused IP that
is valid for the subnet the device is subdividing.  That is, that
IP is not plumbed on any of the interfaces (virtual or otherwise)
that belong to the device.

Also, when such devices are acting additionally as  VPN device, they
may have to do ICMP need to fragments for everything to work
correctly.   This makes the device less stealthy. Again, they 
will fake the packet using the tunnel's IP addr, and an imaginary
MAC.  Since bridging devices listen to the network in promiscious
mode, they will see all responses and ICMP errors related to the tunnel.

Mudge did a presentation at USENIX Security Symposium a few
years back that includes lots of tricks for detecting stealth
devices on your network.

As a side note, there was some earlier discussion about the ability
to handle multiple interfaces on such a beast.  I know it is very
easy to do with SunScreen (you tell it which parts of the network
reside off of which interface, and it sends the packet out of
the correct interface).  I'm sure this is possible in other implementations.

Valerie
--
valerie.bubb () sun com
bubb () bubb org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: stealth firewalls, (continued)
- - - RE: stealth firewalls Don Flanagan (Jan 19)
- Re: stealth firewalls Volker Tanger (Jan 17)
  - Re: stealth firewalls ark (Jan 18)
    - Re: stealth firewalls Volker Tanger (Jan 18)
- Re: stealth firewalls Peter Lukas (Jan 17)
- Re: stealth firewalls Dave Mitchell (Jan 18)
- Re: stealth firewalls Roelof JT Jonkman (Jan 18)
- Re: stealth firewalls ark (Jan 17)
- Re: stealth firewalls ark (Jan 18)
  - Re: stealth firewalls Volker Tanger (Jan 18)
- Re: stealth firewalls Valerie Anne Bubb (Jan 19)
- Re: stealth firewalls Valerie Anne Bubb (Jan 19)