Firewall Wizards mailing list archives

Re: terminal services

From: Barney Wolff <barney () pit databus com>
Date: Wed, 29 Jan 2003 12:30:01 -0500

On Wed, Jan 29, 2003 at 08:26:20AM +0100, Reckhard, Tobias wrote:


Source ports are worth pretty much zilch when filtering TCP or UDP. It's not
a good security decision to design a filter that attempts to allow (only)
outbound DNS queries based on outbound packets having source port 53 and
inbound packet having destination port 53. Rather, the source port (in the
outbound direction) should be able to be pretty much anything, while the
destination port is the one that needs to be checked. Same for NTP or any
other service.


I believe you've misunderstood what I wrote.  If you allow queries to DNS
or NTP out from high ports, you must, with a non-state-keeping filter,
allow UDP inbound to high ports from port 53 or 123.  But without state,
you won't notice that the supposed DNS response from port 53 is going to
port 1434 and is an attack packet.  The solution, without state, is to
allow packets in only to ports 53 and 123, and ensure that outbound
requests are sent only from those ports.  If you can't do that you must
keep state.

There are protocols that use fixed client as well as server ports. IKE
appears to be one of them (but DNS and NTP definitely aren't). You can
configure your packet filter, stateful or not, more restrictively by
restricting the source ports used. It may buy you some added security. Most
of the time, that won't be much, though.


This is just wrong - both bind's named and ntpd can be configured to send
requests only from 53/123.  ntpd does it by default; it's ntpdate that
sends from a high port.  Just to be clear, I am NOT suggesting that
checking the source port of inbound packets does any good.  I am suggesting
that controlling the source port of your own outbound requests allows
you to restrict what destination ports inbound packets may target, if
you're using a simple router filter rather than a state-keeping firewall.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: terminal services, (continued)
- RE: terminal services Noonan, Wesley (Jan 28)
  - RE: terminal services R. DuFresne (Jan 28)
    - RE: terminal services Paul D. Robertson (Jan 28)
    - Re: terminal services Barney Wolff (Jan 28)
    - RE: firewall design (was: RE: terminal services ) m p (Jan 29)
  - RE: terminal services Paul D. Robertson (Jan 28)
    - RE: terminal services R. DuFresne (Jan 28)
    - Message not available
    - RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Reckhard, Tobias (Jan 28)
  - Re: terminal services Barney Wolff (Jan 29)
    - Re: terminal services Paul Robertson (Jan 29)
    - Re: terminal services Barney Wolff (Jan 30)
- RE: terminal services Reckhard, Tobias (Jan 30)
- RE: terminal services Reckhard, Tobias (Jan 30)
  - Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)