Friday, November 30, 2007

firewall-wizards Digest, Vol 19, Issue 36

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Darren Reed)
2. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(Marcus J. Ranum)
3. Re: Firewalls that generate new packets.. (Marcus J. Ranum)
4. Re: Firewalls that generate new packets.. (Paul D. Robertson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 30 Nov 2007 02:11:00 -0800
From: Darren Reed <darrenr@reed.wattle.id.au>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <474FE1B4.8040202@reed.wattle.id.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I definately don't classify (2) as a DOS problem. An application/operating
system that crashes because of a bug is presumably fixable. Crashing
something because of bad data is just as likely to happen anyway, without
there needing to be some sort of special attack.

On a well configured network, (3) is going to be almost the same as (1),
so I don't believe there's any point in drawing a distinction. The general
idea is that the target host is given more work than it can cope with and
thus fails to respond in a useful manner.


Darden, Patrick S. wrote:
> I believe you are missing the point. Three types of DOS
>
> 1. bandwidth flood--several dos and most ddos, smurf,
> stacheldraht, only way to protect against them is to
> prevent them, only way to prevent them is if all networks
> protect others from themselves.
>
> 2. purposely (mal)shaped packets--teardrop, ping of death, etc.;
> any good firewall prevents known examples.
>
> 3. application shaped--e.g. sending a continuous stream of
> connection packets to an apache web server, letting them time
> out at 15 minutes, thus keeping others from connecting; etc.
> Most security features provide *very limited* relief from this,
> limiting the # of connections from the same sip, decreasing
> tcp timeout from 15 mins to 30 seconds, etc.
>
> Helpful?
>
> --Patrick Darden
>
>
>
> -----Original Message-----
>
> >....
> >http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796e
> >
> >
>
> I see nothing in that article that explains how a firewall
> can be used to defend against a DOS (or DDOS) attack.
>
> All I see is how to avoid yourself from being used as the
> source of one - where source IP addresses are forged.
>
> When I've got an army of 100,000 pc's scattered around
> the globe ready to try and connect() to your web server
> (without spoofing an IP#), how does anything in that
> article help?
>
> Darren
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

------------------------------

Message: 2
Date: Fri, 30 Nov 2007 00:09:35 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071130000404.03ed26b0@ranum.com>
Content-Type: text/plain; charset="us-ascii"

George Capehart wrote:
>Some light reading for the weekend . . . Thought it'd stir the pot a
>bit more for the "Firewalls that generate new packets . . ." thread. ;>
>
>http://www.darkreading.com/document.asp?doc_id=140121&f_src=drweekly

George, since when does "stirring the pot" consist of kicking a tiger
in the b*lls?? Because that was my immediate reaction on reading
that article!!! I started prowling my cage looking for something to
chomp!

"Next Generation firewalls"? Gosh, oh, golly - it sounds like what
they're calling "Next Generation firewalls" are kinda sorta like
"what firewalls were supposed to do all along."

I notice that Nir Zuk is a primary source for this article, as well.
It sounds like some P.R. agency has done a good job pimping*
a certain start-up that is getting ready to "ramp"** a product. :)
I have no idea if the product is any good or not but using a
network processor to do layer-7 stuff is not exactly rocket
science!

I think Kelly Higgins is interviewing me next week. I'll make sure to
drag this article up as a topic. :)

mjr.
--
* not a marketing buzz word
** a token marketing buzzword


------------------------------

Message: 3
Date: Fri, 30 Nov 2007 00:27:53 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20071130001235.03ed1be8@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Timothy Shea wrote:
>I would add to your comments that
>an outgoing proxy (such as squid or bluecoat) allows you to eliminate
>the dreaded "completely open outbound default" rule found on many
>corporate firewalls and allows a higher degree of auditing.

You raise a really interesting point - and the next big problem.
Namely, that's going to be malcode that tunnels over SSL. It's
already a problem, but it's still at the "tip of the iceberg" stage.

I like asking my clients what they have in place to deal with
that when it comes. By the way, I don't think that border
decryptor/MITM proxies are the answer; they'll get DDOS'd
by malcode traffic from within if the floodgates open the
way I expect them to. The right answer would be to white-list
sites that are business critical for SSL and deny all the
rest. I predict a long period of denial, thrashing, hand-wringing,
duct-tape, and band-aids before reality sets in. Although
with the new high-speed silicon-based band-aids the race
will be neck and neck for a while.

#include <obligatory/itoldyouso.h>

mjr.

------------------------------

Message: 4
Date: Fri, 30 Nov 2007 07:51:23 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: darrenr@reed.wattle.id.au, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711300749560.16249-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Fri, 30 Nov 2007, Darren Reed wrote:

> I definately don't classify (2) as a DOS problem. An application/operating

System crashes, availability is 0, how is that not a DoS? If we're going
to use a standard vocabulary (and I think we must) then we can't
individually pick what the words mean.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 36
************************************************

No comments:

Post a Comment