Re: Phrack #60: "Java tears down the Firewall"

[Mikael Olsson <mikael.olsson () clavister com>]

David Lang wrote:
> Ok, this then limits the attack to the machine running the 
> browser doesn't it? 

With any sane firewall, yes.  Some have been known to not limit this,
however.  Some because of brain damage on the implementor's part, and
some because "it's a feature! it allows server-to-server transfers!".

(But limiting the attack to machines running browsers doesn't limit
 very much IMHO :P)

> Or are you saying that firewalls allow active FTP data connections to
> terminate on a different machine then the control connection is from, I
> know not all firewalls make this mistake (one more case where a good app
> level firewall will win over a stateful firewall)

A-hem. Not testing whether the data channel belongs to the same IP
as the control channel is a single "if()" clause, and that particular
piece of code would be identical in a stateful firewall and a proxy
firewall.

Now, I believe that not fully reassembling any TCP connection where you
(need to) examine L7 data is a crime in and of itself, but for entirely 
different reasons.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards