Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)

[Jose Maria Lopez <jkerouac () bgsec com>]

El lun, 30 de 08 de 2004 a las 04:21, Mike Frantzen escribió:
> > On Aug 18, 2004, at 2:29 PM, Joel Snyder wrote:
> > > To get into the firewall sweepstakes, you have to start with
stateful 
> > > packet inspection, not the weak crap you get for free in some
freeware 
> > > firewalls, but something that watches sequence numbers and the
*full* 
> > > TCP state machine, plus options, defragmentation, all that jazz.
> > A genuine (non-rhetorical) question:
> > Why do we think this is true?
>
> This is going to be an extremely controversial answer that the
security
> purists probably will not like.  But they're fun to piss off so here
goes.
> The real benefit of a full fledged TCP state machine is knowing when
to
> expire an idle connection.  If we expire a connection too early, then
> the next packet that comes in on it will appear to be a new connection
> and several things may happen:
>   1) it gets logged as a different connection
>   2) it gets NATs to a different IP or port
>   3) you lose the TCP window scale value
>   4) the connection will break if you only allow state creation on a
SYN
>   5) any sequence number modulation will break the connection
>   6) any TCP timestamp modulation will probably break the connection
>   
> When you know what state a connection is in, you can statistically
> determine the timeouts.  For instance almost all SYNs are followed by
a
> SYN|ACK within 120 seconds.  The SYN|ACK will be followed by an ACK
> within 30 seconds....

I think it's just a matter of using very long times in the state
machine, with the almost too powerful computers we have now to do
firewall and the huge amounts of memory they have it should be
possible to let the connection stay in the state machine the more
time the better. Linux does this in some way, because I drop the
NEW packets without SYNs and I had any problem ever, because my
logs show that this kind of packets are totally uncommon and normally
constructed traffic.


> > What are the security benefits of watching sequence numbers, the TCP
> > state machines, and options? (Sidenote: someone should do a quick
study 
> > to see how many "stateful firewalls" properly implement TCP PAWS ---
> > like every modern OS TCP stack does).
>
> Lol.  Dug Song and his love of PAWS is rubbing off on you.
>
> But ya, I implemented PAWS checks in OpenBSD's PF as an interaction
> between the scrubber and the TCP state code.  Was able to use the
> timestamp as an extension of the sequence numbers to make blind data
> injection much harder.  We know that the TCP timestamp will be less
than
> the last value echoed by the other endhost (conventional PAWS).  But
the
> trick is that the RFC limits the timestamp clock to 1KHz max so we
know
> the timestamp will not have increased by more than 1,000 * idle
seconds.
> .mike
> frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
> PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------