Firewall Wizards mailing list archives
Re: Phrack #60: "Java tears down the Firewall"
From: Árpád, Magosányi <mag () bunuel tii matav hu>
Date: Sun, 5 Jan 2003 21:29:05 +0000
A levelezőm azt hiszi, hogy Mikael Olsson a következőeket írta:
Or are you saying that firewalls allow active FTP data connections to terminate on a different machine then the control connection is from, I know not all firewalls make this mistake (one more case where a good app level firewall will win over a stateful firewall)A-hem. Not testing whether the data channel belongs to the same IP as the control channel is a single "if()" clause, and that particular piece of code would be identical in a stateful firewall and a proxy firewall. Now, I believe that not fully reassembling any TCP connection where you (need to) examine L7 data is a crime in and of itself, but for entirely different reasons.
We have more issues here: The first one is whether a good app level firewall can defend again this kind of attack? Not exactly. But can do more defense than a stateful packet filtering router. Tracking whether the data should go in or out is more complicated with a packet filter (and theoretically impossible also). Stopping one direction can make the attack unfeasibly complicated and more easily observable with whole classes of attacks. Converting active connections to passive may also make the logic on the server side (if any) confused. BTW, is there any app level firewall besides Zorp which can do active-passive conversion? Defense against known attack signatures is also more easy with a good app level firewall, as it can match against signatures in the data channel. (Stopping attacks to known ports should be possible with packet filters also.) The second question is whether a data channel should go to the same machine where the control channel is. The real question is how much we can break standards for the sake of security. I believe that the main point of security is security. If the other end cannot talk the subset of standards we support, talk is not important enough to neither end. (And I also hate to support broken implementations just because talking is more important to us. I think that "business need" is an euphemism for "undermining years of hard work just because you cannot build up a good communication (in the social meaning) with your partner".) The third question is how deeply you should examine the traffic you pass through, and how deep your software should be able to do it. I believe that you should examine everything you can gather on the properties of the traffic you pass through. And you should spend effort on gathering the information proportional to the importancy of the asset you are defending. Also, the importancy threshold which warrants building a firewall also warrants spending enough time to design it (in symbiosis with the systems it defends) in much more detail than just the ip address, port and protocol level. I also believe that your hw/sw should have enough reserve to stand up when something happens. So it should be able to pass through traffic at least two times heavier than the planned maximum, with two times deeper settings. This is why traffic filtering routers are not firewalls. -- GNU GPL: csak tiszta forrásból _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Phrack #60: "Java tears down the Firewall" Mikael Olsson (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" Marcus J. Ranum (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" Mikael Olsson (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" David Lang (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" Mikael Olsson (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" Árpád , Magosányi (Jan 06)
- Re: Phrack #60: "Java tears down the Firewall" Mikael Olsson (Jan 06)
- Re: Phrack #60: "Java tears down the Firewall" Magosnyi rpd (Jan 07)
- Re: Phrack #60: "Java tears down the Firewall" Mikael Olsson (Jan 07)
- Re: Phrack #60: "Java tears down the Firewall" Kevin Steves (Jan 11)
- Re: Phrack #60: "Java tears down the Firewall" Mikael Olsson (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" Marcus J. Ranum (Jan 03)
- Re: Phrack #60: "Java tears down the Firewall" Gary Flynn (Jan 05)