Search This Blog

Friday, January 08, 2010

firewall-wizards Digest, Vol 45, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Use of single port aggregations to enhance security (Darren Reed)
2. Duplicate Public IP Addresses? (arvind doraiswamy)
3. Re: Duplicate Public IP Addresses? (Paul D. Robertson)
4. Re: Duplicate Public IP Addresses? (Orca)


----------------------------------------------------------------------

Message: 1
Date: Wed, 06 Jan 2010 06:12:46 +1100
From: Darren Reed <Darren.Reed@Sun.COM>
Subject: [fw-wiz] Use of single port aggregations to enhance security
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4B438F2E.60504@Sun.COM>
Content-Type: text/plain; CHARSET=US-ASCII; format=flowed

I'm curious if anyone has toyed with the idea of creating
single port LACP aggregations on switches and connecting
firewalls that also speak LACP to them. The purpose of this
is that some (all?) switches will disable an aggregation
port when LACP is not running, so the LACP protocol becomes
something of a link-state protocol between the operating
system and the switch.

So what difference can this make?

If you're using an operating system based firewall (Linux,
BSD, Solaris), then depending on the order of the operating
system enabling firewalls capabilities vs networking, there
may be windows where packets are able to reach code paths
that they weren't intended for because nic drivers start
servicing packets quite early. However, nearly all of the
above operating systems implement LACP in software. This
means that there's a "knob" that can be used on the firewall
host to control whether or not the switch sends stuff to
the firewall, potentially allowing you to close that window
(if it exists.) This might cause problems if you're doing
some sort of out-of-band remote console over that port O:->

I admit that caring about this might require a special level
of paranoia :)

But the idea of being able to turn the tap off, rather than
just pour what comes out of the hose down the drain, does
have some merit O:)

Darren

------------------------------

Message: 2
Date: Fri, 1 Jan 2010 20:40:55 +0530
From: arvind doraiswamy <arvind.doraiswamy@gmail.com>
Subject: [fw-wiz] Duplicate Public IP Addresses?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<e7efc21f1001010710u52c8b44dif7d72b79277a17e8@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hey Guys,
Maybe this is a bit of a basic question but I thought I'd ask here all
the same. Please let me know if this is too Non Firewall to be posted
:)

Over the years a lot of clients have used Public IP addresses on an
Internal network. So there's whole internal ranges with 80.x.x.x . Now
almost all of those systems do not have publicly reachable services at
all. Lets also assume that there is some website somewhere which has
the 80.x.x.x IP address assigned to it and people DO visit it and use
its "services". All ok so far.

What though if the internal network suddenly decided to make one of
his systems a web server , put a site onto it and pushed it on to the
Internet with the same 80.x.x.x address that was assigned to the
server when it was part of the Internal Network? Effectively it means
that now.. 2 servers ; the original web server (A) and the new web
server (B) both have an IP of 80.x.x.x (SAME).

Now I haven't done this practically and checked what will happen , but
I have a few questions in mind.

a) What happens to all the traffic going to A? Does it still go there
or do clients of A get redirected to B?
b) What about B wrt Question a) ?
c) What about DNS servers everywhere? What IP addresses will they
cache and how will they ensure that people are "routed" correctly?
d) Isn't this a very easy DOS condition? Anyone just changes IP ,
registers with their own DNS and sits back and waits?

Am I missing something? It just seems to easy to do..so I thought I'd
post here and get educated :)

Thnx
Arvind


------------------------------

Message: 3
Date: Thu, 7 Jan 2010 20:53:19 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Duplicate Public IP Addresses?
To: arvind doraiswamy <arvind.doraiswamy@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.1001072013310.6146-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Fri, 1 Jan 2010, arvind doraiswamy wrote:

> What though if the internal network suddenly decided to make one of
> his systems a web server , put a site onto it and pushed it on to the
> Internet with the same 80.x.x.x address that was assigned to the
> server when it was part of the Internal Network? Effectively it means
> that now.. 2 servers ; the original web server (A) and the new web
> server (B) both have an IP of 80.x.x.x (SAME).

The place doing this would have to be able to advertise their AS as a
route to that network and have their upstream providers also re-advertise
the route as a part of their peering announcements.

This used to happen occasionally way back when, but it seems pretty rare
in the modern era- all the upstreams and peering points have gotten
through the hassles, and most places don't actually own their address
space anymore, their ISPs do, and advertise it out of their AS's rather
than the customer's AS.

> Am I missing something? It just seems to easy to do..so I thought I'd
> post here and get educated :)

It's difficult to do- first of all, you generally have to be peering with
your provider(s,) and most providers are picky about accepting routes from
customers (for the obvious reasons)- I can't imagine a major provider
who'd accept odd routes from any customer, they generally lock down what
advertisements they'll accept. Secondly, you have to get that provider to
accept a route to an address you don't own. Then that provider has to get
the provider they use, or their peers to accept them as a route to that
address space...

This seems reasonably complete though it's been a good number of years
since I've had to peer with multiple tier-1 providers so it may be a
little dated but it should give you a basic understanding of BGP peering:

http://www.cs.princeton.edu/~jrex/papers/policies.pdf

I think there's been a fair amount of work on detecting bogus BGP routing
information since I had to deal with peering routers- and there don't seem
to be enough incidents to make everyone want to solve anything, like
getting the IRR to a near complete status.

Routing has no effect on DNS other than which server the traffic gets sent
to. I'm not sure what you're confusing to get DNS into the picture-
routes don't get advertised via DNS, simply resource and address mappings,
which are an entire different matter- with the caveat that some folks
seem to be trying to use DNSSec to validate BPG validity.

Traffic goes to the "best" route, the document linked shows the order of
evaluation in the routing tables, which should be tempered with the fact
that they're going to be filtered for most providers that are accepting
routes from a customer.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 4
Date: Thu, 7 Jan 2010 17:56:29 -0800
From: "Orca" <klrorca@Hotmail.com>
Subject: Re: [fw-wiz] Duplicate Public IP Addresses?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <COL109-DS1524A2784BCF46967C2130A5700@phx.gbl>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original

So the short answer is that the real owner of the 80.X.X.X ISP advertises
the route, and you don't. So it would only affect your users local to your
network, in which case they would go to your local 80.X.X.X address over the
one on the internet someplace (assuming your advertising the 80.X.X.X subnet
on your network).

Very few people would need to use more space than listed in RFC1918 and RFC
3330 before using other random IP addresses. If one still needs more than
what these RFCs offer, then choose one that is unlikely to be on the common
internet, or services that your local users don't use, like one of the DoD
networks. But of course these can only be used internally; publically you
will need addresses assigned to you from ARIN, or re-assigned from your ISP.

-Steve

--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy@gmail.com>
Sent: Friday, January 01, 2010 7:10 AM
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Subject: [fw-wiz] Duplicate Public IP Addresses?

> Hey Guys,
> Maybe this is a bit of a basic question but I thought I'd ask here all
> the same. Please let me know if this is too Non Firewall to be posted
> :)
>
> Over the years a lot of clients have used Public IP addresses on an
> Internal network. So there's whole internal ranges with 80.x.x.x . Now
> almost all of those systems do not have publicly reachable services at
> all. Lets also assume that there is some website somewhere which has
> the 80.x.x.x IP address assigned to it and people DO visit it and use
> its "services". All ok so far.
>
> What though if the internal network suddenly decided to make one of
> his systems a web server , put a site onto it and pushed it on to the
> Internet with the same 80.x.x.x address that was assigned to the
> server when it was part of the Internal Network? Effectively it means
> that now.. 2 servers ; the original web server (A) and the new web
> server (B) both have an IP of 80.x.x.x (SAME).
>
> Now I haven't done this practically and checked what will happen , but
> I have a few questions in mind.
>
> a) What happens to all the traffic going to A? Does it still go there
> or do clients of A get redirected to B?
> b) What about B wrt Question a) ?
> c) What about DNS servers everywhere? What IP addresses will they
> cache and how will they ensure that people are "routed" correctly?
> d) Isn't this a very easy DOS condition? Anyone just changes IP ,
> registers with their own DNS and sits back and waits?
>
> Am I missing something? It just seems to easy to do..so I thought I'd
> post here and get educated :)
>
> Thnx
> Arvind
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 45, Issue 1
***********************************************

No comments: