Firewall Wizards mailing list archives
Re: stealth firewalls
From: Valerie Anne Bubb <Valerie.Bubb () Sun COM>
Date: Fri, 18 Jan 2002 11:39:18 -0800 (PST)
From: ark () eltex ru VPN peers are not required to be visible from VPN itself. You can build a bridge that will take packet from (bridging) interface 0 on machine A, encapsulate and encrypt it, send it via interface 1 to machine B's interface 1, that will decrypt it and send out via interface 0 on machine B, and vice versa.
True, but anytime a bridge or stealth firewall is doing tunneling (usually the case for VPN), the "stealth" device has to touch the packet - which makes it less stealthy. (same is true if the device is doing NAT) The device will leave a fingerprint, such as a modified MAC, that to the watchful eye will show that there is a bridging device between the networks. NOTE: the IP address used in the tunnel does not actually "belong" to the stealth device, it is simply an otherwise unused IP that is valid for the subnet the device is subdividing. That is, that IP is not plumbed on any of the interfaces (virtual or otherwise) that belong to the device. Also, when such devices are acting additionally as VPN device, they may have to do ICMP need to fragments for everything to work correctly. This makes the device less stealthy. Again, they will fake the packet using the tunnel's IP addr, and an imaginary MAC. Since bridging devices listen to the network in promiscious mode, they will see all responses and ICMP errors related to the tunnel. Mudge did a presentation at USENIX Security Symposium a few years back that includes lots of tricks for detecting stealth devices on your network. As a side note, there was some earlier discussion about the ability to handle multiple interfaces on such a beast. I know it is very easy to do with SunScreen (you tell it which parts of the network reside off of which interface, and it sends the packet out of the correct interface). I'm sure this is possible in other implementations. Valerie -- valerie.bubb () sun com bubb () bubb org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: stealth firewalls, (continued)
- RE: stealth firewalls Don Flanagan (Jan 19)
- Re: stealth firewalls Volker Tanger (Jan 17)
- Re: stealth firewalls ark (Jan 18)
- Re: stealth firewalls Volker Tanger (Jan 18)
- Re: stealth firewalls ark (Jan 18)
- Re: stealth firewalls Peter Lukas (Jan 17)
- Re: stealth firewalls Dave Mitchell (Jan 18)
- Re: stealth firewalls Roelof JT Jonkman (Jan 18)
- Re: stealth firewalls ark (Jan 17)
- Re: stealth firewalls ark (Jan 18)
- Re: stealth firewalls Volker Tanger (Jan 18)
- Re: stealth firewalls Valerie Anne Bubb (Jan 19)
- Re: stealth firewalls Valerie Anne Bubb (Jan 19)