Re: Phrack #60: "Java tears down the Firewall"

[Árpád, Magosányi <mag () bunuel tii matav hu>]

A levelezőm azt hiszi, hogy Mikael Olsson a következőeket írta:
> > Or are you saying that firewalls allow active FTP data connections to
> > terminate on a different machine then the control connection is from, I
> > know not all firewalls make this mistake (one more case where a good app
> > level firewall will win over a stateful firewall)
>
> A-hem. Not testing whether the data channel belongs to the same IP
> as the control channel is a single "if()" clause, and that particular
> piece of code would be identical in a stateful firewall and a proxy
> firewall.
>
> Now, I believe that not fully reassembling any TCP connection where you
> (need to) examine L7 data is a crime in and of itself, but for entirely 
> different reasons.

We have more issues here:

The first one is whether a good app level firewall can defend again this kind 
of attack? Not exactly. But can do more defense than a stateful packet filtering
router. Tracking whether the data should go in or out is more complicated with
a packet filter (and theoretically impossible also). Stopping one direction can 
make the attack unfeasibly complicated and more easily observable with
whole classes of attacks. Converting active connections to passive may also
make the logic on the server side (if any) confused. BTW, is there any app
level firewall besides Zorp which can do active-passive conversion? 
Defense against known attack signatures is also more easy with a good app
level firewall, as it can match against signatures in the data channel.
(Stopping attacks to known ports should be possible with packet filters also.)

The second question is whether a data channel should go to the same machine
where the control channel is. The real question is how much we can break
standards for the sake of security. I believe that the main point of security
is security. If the other end cannot talk the subset of standards we support,
talk is not important enough to neither end. (And I also hate to support broken
implementations just because talking is more important to us. I think that
"business need" is an euphemism for "undermining years of hard work just
because you cannot build up a good communication (in the social meaning) with
your partner".)

The third question is how deeply you should examine the traffic you pass through,
and how deep your software should be able to do it.
I believe that you should examine everything you can gather on the properties
of the traffic you pass through. And you should spend effort on gathering the
information proportional to the importancy of the asset you are defending. Also,
the importancy threshold which warrants building a firewall also warrants spending
enough time to design it (in symbiosis with the systems it defends) in much more 
detail than just the ip address, port and protocol level.
I also believe that your hw/sw should have enough reserve to stand up when
something happens. So it should be able to pass through traffic at least two
times heavier than the planned maximum, with two times deeper settings. This is why
traffic filtering routers are not firewalls.

-- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards