Wednesday, November 28, 2007

firewall-wizards Digest, Vol 19, Issue 31

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
2. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
3. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
4. Re: Firewalls that generate new packets.. (Darden, Patrick S.)
5. Re: Firewalls that generate new packets.. (Darden, Patrick S.)
6. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
7. Re: Firewalls that generate new packets.. (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Tue, 27 Nov 2007 23:01:53 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Darren Reed
<Darren.Reed@Sun.COM>
Message-ID: <6.2.0.14.2.20071127224850.045f0460@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Darren Reed wrote:
>Marcus, don't you find it funny that people are coming up
>with new terms to describe technology that is even more
>lame than what has been available via open source for more
>than 10 years now?

I don't find it FUNNY at all. I find it:
"unilateral deep stateful limp induction"
or, in other words:
"lame"

>I mean, would you buy a firewall that did stateful filtering, proxying
>or deep packet inspection? I mean, what sounds sexier?

You've got a really good point there. If I were going to write
another firewall, I think I'd call it a:
"male member enhancing massive state packet pumper"
I'd have tennis elbow from cashing all the checks.

The reason that I show frustration about this is because, while
I know that most people are intellectually lazy and fall for
marketing, I expected better from the security community.
My bad.

mjr.

------------------------------

Message: 2
Date: Tue, 27 Nov 2007 23:13:23 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071127230353.045ea748@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Marcin Antkiewicz wrote:
>I am not the authority on the subject but, if I am correct, the first
>firewalls did not even have packet filters - traffic went through a proxy,
>and protocols that were not supported/proxy friendly were transfered via
>some kind of authenticated IP replay thingey (or was it decnet to IP
>bridge?)

It's not sure what the "first" firewalls were, because there were a
fair number of things in play around the mid/late 80's called
"firewalls."

Dave Presotto's firewall at Bell Labs involved a mix
of proxies and circuit relays. Brian Reid, Geoff Mogul and Paul
Vixie at DEC West were managing a "firewall" that most of us
today would term a "dual homed gateway" - users had shell
level access and logged into the device, making /bin/sh a rather
open-ended "proxy."

Most of us would call Presotto's system the first true firewall,
but (as you can imagine) there are a lot of people who want to
stake their claim to various pieces of the puzzle.

On a related and somewhat amusing unhistorical note, the
US Patent Office continues to grant patents for proxy
firewalls. At least once (and sometimes twice) a year, I get
excited calls from lawyers wanting to hire me as a consultant
to help them sue some big firewall vendor or other for
infringing on a ground-breaking idea like proxy transparency
(first shipped in borderguard but simultaneously implemented in
Gauntlet, Centri, and AT&T's firebrick) or content scanning
(first shipped in DEC SEAL - sort of - and later in Secure
Computing Sidewinder's marketing literature, and then a
host of others) etc, etc. I can't decide whether to laugh or
cry.

mjr.

------------------------------

Message: 3
Date: Wed, 28 Nov 2007 13:28:23 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071128132423.052f6720@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Darden, Patrick S. wrote:
>No offense, but both of you are wrong.
>Properly configured, a simple firewall
>CAN prevent most DOS attacks.

Sure! It can block most of the current crop. But
there's no way a firewall can prevent a bandwidth
consumption attack. At the very least for the simple
reason that the attack can take place upstream of
the firewall or against the link leading to the firewall.

It's important not to confuse something that can
help against a wide variety of attacks (nothing wrong
with that) with a solution to the problem.

mjr.

------------------------------

Message: 4
Date: Wed, 28 Nov 2007 08:54:42 -0500
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.cybertrust.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240184E5B3@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"


I agreed with Marcus, and I agree with you. These terms
are traditionally unfocused and meaningless marketing
blather. That's why I attempted definitions that would
add meaning in the context of this discussion.

As for tunneling--yeah. You can tunnel through http
or even through icmp (yes, you can tunnel thru ping)
via programs like Loki. However, as I stated, my
definition of levels of security was to make things
more difficult or complex, not the traditional
view of more secure. I think along these lines:

80% total wankers (low level of knowledge)
10% script kiddies (adept with using pre-made programs)
5% good general hackers (truly understand firewalls
and general vulnerabilities)
5% amazing experts in specific areas (amazing level
of knowledge of 1-2 firewalls and a few apps (e.g.
apache, mod-perl, perl)

I am making all these statistics up, it's my world-view
so I am entitled. I figure, however, that level of
complexity or difficulty or knowledge is what makes
a difference, and so if you can discourage the majority
then you have done what you can....

I.e. it is easy to keep out the bottom tier of "hackers".
Most firewalls come pre-configured for thst. With a
little bit of work you can confound the script kiddies as
well. A good security guru can confound the "good general
hackers" as well, by keeping up with patches and the latest
news. Only luck and great expertise will help with the
"amazing experts in specific areas" however--that and
having a well-planned out in-depth security system.

--Patrick Darden

Darren Reed

I think 'deep' is more of a reference about how far they'd like
you to reach into your pocket - again - so they can get their
product bell curve to turn the right way :-)

...

>>*stateful with deep packet inspection: a connection matrix
>>is kept, mindful of sequence #s, checking to make sure that
>>only proper protocols are allowed, and additionally checking
>>for application level sanity--e.g. squid, a web application
>>proxy that allows for various levels of sanity checking on
>>http commands, can ensure that requests follow RFCs, allows a
>>lot of custom filtering/sanitizing such as regexp type addons
>>for getting rid of pop-ups, malware, pushes that might break
>>cgi boundaries, etc.
>>
>>
>
>Now, you're cooking with gas.
>
>

You know for a while, one of my favourite HTTP commands
to a proxy was "CONNECT". telnet straight through
someone's firewall that was HTTP only ;-)

I forget how it went, but something like this:
CONNECT http://12.34.56.78:23 HTTP/1.0

and sometime later, I'd happily see this:

SunOS foo
login:

Of course now people restrict CONNECT to the more usual
ports, such as 443 but since 443 is normally encrypted, it
is uncommon for any content filtering to be applied to it...

Does your ssh server /also/ run on port 443? ;)


...

>Is it possible that a "firewall" is largely "a router
>with a sticker on it that says 'firewall'?"
>
>

The ADSL+router+NAT+Firewall you buy from Safeway at
$29.95 probably is just that :-)


>...
>Unless it's doing a lot of useful "deep" stuff at
>layer-7, I'd say that might be the situation.
>
>The question I want you all to start asking is:
>"What's 'deep' about that?"
>
>

I first heard the term "deep packet inspection" around 5 years
ago and nothing I've seen or heard since then has convinced me
that it is anything other than a marketting term, used by people
trying to sell _something_ (be it themselves, their ideas or products)
that you'd otherwise not think twice about.

And it is the lack of definition about what "deep packet inspection"
is that continues to make it sound good. Nobody appears to have a
precise definition, so everyone can claim it (for different reasons.)

I mean, would you buy a firewall that did stateful filtering, proxying
or deep packet inspection? I mean, what sounds sexier?

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 5
Date: Wed, 28 Nov 2007 15:59:57 -0500
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: <darrenr@reed.wattle.id.au>, "Firewall Wizards Security Mailing
List" <firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards
Security Mailing List" <firewall-wizards@listserv.cybertrust.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240184E5CB@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"


Hey Darren,

A few of my emails didn't make it to the list. The below
missive doesn't make much sense since it references
"all the reasons I have outlined before".

Here is most relevant missing email:

It depends on the MITM exploit. If you just want to monitor
a stream of traffic, then you are correct. If, however, you
want to hijack the conversation it can be more difficult:

To quote from the certiguide site (very well written
imho) http://www.certiguide.com/secplus/cg_sp_144ManintheMiddle.htm

"Second, an attacker has TCP Sequence numbers to contend with. In a
nutshell, every TCP/IP connection negotiates a TCP Sequence between
both hosts. Subsequently, every TCP packet sent between them has a
TCP Sequence number included in the packet header. This number is
changed for every packet by a prearranged formula, decided on during the TCP handshake stage.

This allows both hosts to ensure they are receiving all the packets
in a TCP conversation, and to ensure that the packets are being
assembled in the correct order. In other words, the TCP Sequence
number is responsible for the quality control of the protocol. If
the sequence number of a packet is wildly out of sequence or just
plain wrong, the packet is discarded (with a few additional
checks). If an attacker is unable to break the TCP Sequence formula,
they won't be able to initiate an MITM attack. Tools such as Nmap75,
mentioned earlier, have options to check the TCP Sequence formula
of the IP stack on a machine and inform you how difficult it would
be to "break" it. This particular attack strategy is called TCP
Sequence Prediction, and crackers have access to tools that do it,
so the stronger your TCP/IP implementation in this regard, the better."

SANS and Neohapsis also have materials covering tcp sequence
prediction, and its role in foiling hackers.

--Patrick Darden


Marcus J. Ranum

Don't any and all MITM attacks work successfully against
any unencrypted (and even a few encrypted) streams?
I didn't even mention MITM because they're pretty much
shooting fish in a barrel.

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of
Darren Reed
Sent: Wednesday, November 28, 2007 2:17 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewalls that generate new packets..


Darden, Patrick S. wrote:
> Marcus J. Ranum
> ...
>> The hard thing I had to wrap my brain around was the
>> observation that between a router+ACLs combined
>> with the state that is held in the TCP stack of the
>> target, you've got exactly the same thing (and often
>> quite a bit better!) than a "stateful" firewall.
>>
>
> I respecfully disagree for all the reasons I have outlined
> before.... Sum: tcp sequence #s make a difference.
>

So long as you mean "tcp sequence#s" to mean modelling the entire
TCP connection state, yes. The implication that you're missing is that
the TCP window also needs to be tracked (including whether or not
window scaling is being used), along with which flags appeared at
which sequence numbers so you know what to expect next. e.g
the SYN and FIN flags impact sequence numbers without there being
an explicit change in the headers.

If you go to the extreme of only allowing in sequence TCP packets
and ensure that retransmitted data is always the same as the original,
you could argue that the "stateful inspection" mode here becomes a
layer 5 firewall rather than layer 3 or 4. And that's without a proxy :)

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 6
Date: Wed, 28 Nov 2007 16:05:50 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071128160453.07670d68@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Darren Reed wrote:
>If I can run IPoverDNS through your "layer 7 firewall", is it
>really being a "layer 7 firewall" or a "layer 5 firewall"?

I don't think that covert channels can be eliminated in the
context of "firewall" -- after all, a "firewall" is just one big
juicy mess of overt channels. :)

mjr.

------------------------------

Message: 7
Date: Wed, 28 Nov 2007 15:44:27 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711281543320.6334-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Wed, 28 Nov 2007, Patrick M. Hausen wrote:

> Sorry to be nitpicking, but can we make that DDOS, then?

As it doesn't need to be distributed, can we just use the old traditional
term "flood?" I mean if we're going to nitpick...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 31
************************************************

No comments:

Post a Comment