Wednesday, November 28, 2007

firewall-wizards Digest, Vol 19, Issue 32

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (AMuse)
2. Re: Firewalls that generate new packets.. (Darren Reed)
3. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
4. Re: Firewalls that generate new packets.. (Patrick M. Hausen)
5. ***SPAM*** Re: Firewalls that generate new packets..
(Dave Piscitello)
6. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
7. Re: Firewalls that generate new packets.. (AMuse)
8. Re: Firewalls that generate new packets.. (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Nov 2007 10:26:41 -0800
From: AMuse <amuse@foofus.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <474DB2E1.4050205@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Marcus: Not that I have tons to add to the discussion, but I have to ask
logically: If TCP Sequence numbers did NOT make a difference then why
do we go to so much trouble in the TCP stack to make them difficult to
predict?

Darden, Patrick S. wrote:
>
> Marcus J. Ranum
>
>
>
>> The hard thing I had to wrap my brain around was the
>> observation that between a router+ACLs combined
>> with the state that is held in the TCP stack of the
>> target, you've got exactly the same thing (and often
>> quite a bit better!) than a "stateful" firewall.
>>
>
> I respecfully disagree for all the reasons I have outlined
> before.... Sum: tcp sequence #s make a difference.
>
> --Patrick Darden
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

------------------------------

Message: 2
Date: Wed, 28 Nov 2007 13:30:12 -0800
From: Darren Reed <Darren.Reed@Sun.COM>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <474DDDE4.9020307@Sun.COM>
Content-Type: text/plain; format=flowed; charset=us-ascii

Darden, Patrick S. wrote:

>No offense, but both of you are wrong.
>Properly configured, a simple firewall
>CAN prevent most DOS attacks.
>
>Check out this SANS bulletin on
>"Defeating DDOS". Yes, that is my
>name in the credits. Special task
>force back in 2000. Sigh, and still
>people don't know that you can use
>a simple firewall to defeat most
>DOS attacks... as long as you are
>protecting the world from YOUR
>network.
>....
>http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796e
>
>

I see nothing in that article that explains how a firewall
can be used to defend against a DOS (or DDOS) attack.

All I see is how to avoid yourself from being used as the
source of one - where source IP addresses are forged.

When I've got an army of 100,000 pc's scattered around
the globe ready to try and connect() to your web server
(without spoofing an IP#), how does anything in that
article help?

Darren

------------------------------

Message: 3
Date: Wed, 28 Nov 2007 16:18:10 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071128161005.076b4380@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Patrick M. Hausen wrote:
>Sorry to be nitpicking, but can we make that DDOS, then?

DDOS = "Distributed Denial Of Service"
I.e.: the attack is not originating from a single source. The term
DDOS hasn't got anything to do with the mechanism of the
attack. A lot of DDOS attacks are bandwith saturation attacks,
but not all.

>At least I use to think of DOS as "ping of death" or
>"carefully crafted application packet of death" in contrast
>to DDOS as "simply swamp your uplink by thousand of bots".

DDOSing is a technique for launching a DOS attack. So,
by definition, all DDOS attacks will be a subset of DOS
attacks.

I understand how you want to use the terminology but it's
not in line with the normal usage (as I understand it). I
don't think there's an official term for DOS attacks that
take advantage of a flaw (e.g.: ping of death) as opposed
to resource usage attacks (e.g.: bandwith saturation
or CPU exhaustion).

>Firewalls can protect against the former.

That's correct.

I think the reason Darren and I jumped on that nitpick with
our boots on is because we periodically run into vendors
who claim to be able to "block DOS attacks." Which
we know is impossible.

mjr.

------------------------------

Message: 4
Date: Wed, 28 Nov 2007 22:00:55 +0100
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071128210055.GA32069@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1

Hi!

On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote:
> >State tables allow your firewall to have a deny-all
> >default inbound policy and an allow-all default outbound policy. They allow
> >you to assume that the Internet cannot be trusted and that your internal
> >network can be.
>
> I don't see how this is any different to any other firewall.

Strict proxy firewalls cannot implement an "allow all outbound" policy.
And all the "proxy by design but packet filters as an addon" products,
I have seen so far, ship with only proxy rules enabled in their
default configuration.

So they are less convenient for a certain class of users and some
applications "do not work" out of the box. Which is the point of
the firewall. Which is a point a certain class of users does not get.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de

http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285


------------------------------

Message: 5
Date: Wed, 28 Nov 2007 17:07:35 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] ***SPAM*** Re: Firewalls that generate new
packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <474DE6A7.4060903@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

Let's lower the testosterone, tease out the two discussions that are
running in parallel and find some useful points to share.

I hope we agree that:

1) stopping DDOS attacks directed AT you, from multiple (spoofed)
sources, is something few firewalls can do if the attack is
large/amplified/sustained. It's hard even with additional security
measures, and cooperation from upstream providers. If someone really
wants you badly and has the "connections" (pun intended) he can make
life pretty miserable for you irregardless of the firewall you use.
[Anycasting helped root name servers withstand DDOS amplification
attacks, perhaps this is promising for other applications.]

2) preventing hosts protected by a firewall you administer from acting
as sources for (1) is something firewalls can do (at least in a limited
capacity).

My experience is that many firewall admins worry about (1) more than (2)
in part because DDOS attacks are familiar to the culture and the effects
of a DDOS attack directed at your organization often has a financial and
reputational impact. Only recently are botnets, fast flux hosting, and
other attacks earning "pop news" attention, so until recently, dedicated
and earnest security practitioners have encouraged (2).


Darren Reed wrote:
> Darden, Patrick S. wrote:
>
>> No offense, but both of you are wrong.
>> Properly configured, a simple firewall
>> CAN prevent most DOS attacks.
>>
>> Check out this SANS bulletin on
>> "Defeating DDOS". Yes, that is my
>> name in the credits. Special task
>> force back in 2000. Sigh, and still
>> people don't know that you can use
>> a simple firewall to defeat most
>> DOS attacks... as long as you are
>> protecting the world from YOUR
>> network.
>> ....
>> http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796e
>>
>>
>
> I see nothing in that article that explains how a firewall
> can be used to defend against a DOS (or DDOS) attack.
>
> All I see is how to avoid yourself from being used as the
> source of one - where source IP addresses are forged.
>
> When I've got an army of 100,000 pc's scattered around
> the globe ready to try and connect() to your web server
> (without spoofing an IP#), how does anything in that
> article help?
>
> Darren
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071128/664b7001/attachment-0001.bin


------------------------------

Message: 6
Date: Wed, 28 Nov 2007 16:59:26 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071128165053.03a656e0@ranum.com>
Content-Type: text/plain; charset="us-ascii"

AMuse wrote:
>Marcus: Not that I have tons to add to the discussion, but I have to ask
>logically: If TCP Sequence numbers did NOT make a difference then why
>do we go to so much trouble in the TCP stack to make them difficult to
>predict?

I'm not saying they don't make a difference!! That was not the objective at all.

Usually when the "proxies versus stateful" thread flares up (like herpes,
it never goes away...) I try to approach the issue from the point of
view of discussing the various controls that can be layered at various
places in the security stack, and where the leverage is (or isn't) and
so forth. This time, I thought I'd try a different tactic - namely to get
people to explore exactly what "stateful inspection" or "stateful
firewalls" are and do - what is the value or that "state"?

Yeah, me and Socrates. I'm going to go drink some hemlock now,
and prepare for the next flare-up.

mjr.

------------------------------

Message: 7
Date: Wed, 28 Nov 2007 14:25:32 -0800
From: AMuse <amuse@foofus.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <474DEADC.9000908@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I love the Socratic method, don't get me wrong! I was just trying to do
something similar: If we go to all the trouble to randomize sequence,
clearly there was (and presumably still is) a reason for doing so.

That said, I recommend against the Hemlock - all it did was make
Socrates very sick, and he had to cut his wrists AND suffocate in steam
before he finally gave up the ghost. :)

Marcus J. Ranum wrote:
> Yeah, me and Socrates. I'm going to go drink some hemlock now,
> and prepare for the next flare-up.
>
> mjr.
>

------------------------------

Message: 8
Date: Wed, 28 Nov 2007 17:17:58 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711281552180.6334-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Wed, 28 Nov 2007, Darden, Patrick S. wrote:

> Hey Darren,
>
> A few of my emails didn't make it to the list. The below
> missive doesn't make much sense since it references
> "all the reasons I have outlined before".

The list is still moderated, and the moderator approves some stuff
immediately, mulls over others, discards some and rejects others. Since
the list has always been moderated I'm not sure why folks aren't
remembering this...

> Here is most relevant missing email:
>
> It depends on the MITM exploit. If you just want to monitor
> a stream of traffic, then you are correct. If, however, you
> want to hijack the conversation it can be more difficult:

You're assuming a blind attack, a very dangerous assumption. Even with a
blind attack, you're assuming that (a) the attacker's prediction efforts
are stymied by hard-to-predict sequence numbers and (b) the attacker
(or defender) lacking enough bandwidth to brute force the sequence number
or the likey sequence number space.

In the case of (a) while the research has held up non-predictability in
many modern stacks we really don't know if the results for a particular
set of hardware and software are predictable given some additional data
like platform, OS and initial boot time, other connections to the same
stack, etc.

> TCP Sequence number included in the packet header. This number is
> changed for every packet by a prearranged formula, decided on during the
> TCP handshake stage.

"Prearranged formula decided on during the TCP handshake?"

Wanna show me where in the TCP spec there's some forumla negotiation?
AFAIR the spec (RFC793) handles the progression of ISN+1 and SND.NXT and
RCV.NXT in the specification not the handshake, what am I missing?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 32
************************************************

1 comment: