|
Security Basics
mailing list archives
RE: an error in the NMAP docs?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 5 Apr 2005 08:52:12 -0700
A *stateful* packet filter only allows response traffic back in
if it saw the initial traffic going out. BUT NOT ALL PACKET FILTERS
ARE STATEFUL.
DNS requests are normally made using UDP, but sometimes the answer
is "here is a partial result, but the whole result is available if
you ask again via TCP". Admins who don't have details of this mechanism,
but who *do* know that DNS falls back to TCP when the result set is large,
may expect the server to open a TCP connection to the client to return
this result, and so configure things to permit that. (It was only within
the last month that *I* learned how this really works....)
In normal (non-PASV) FTP, the server opens the data connection back to
the client, sourced from port 20. IF you allow clients to talk non-PASV
FTP, you have to allow this or FTP won't work.
A stateful packet filter will observe the FTP *control* connection
(outbound to port 21) and open the negotiated port back from the server
as needed. But there are still plenty of networks where a stateless packet
filter has to assume inbound connections from port 20 are FTP data
connections, and the NMAP docs are correct that violating this assumption
makes for a pretty convenient gaping security hole.
David Gillett
-----Original Message-----
From: Michael Herz [mailto:mherz () uwaterloo ca]
Sent: Friday, April 01, 2005 8:05 AM
To: security-basics () securityfocus com
Subject: an error in the NMAP docs?
Hi all,
Is there an error in the NMAP docs? The --source_port section says:
"Many naive firewall and packet filter installations make an
exception in
their rule-set to allow DNS (53) or FTP-DATA (20) packets to
come through
and establish a connection. Obviously this completely
subverts the security
advantages of the firewall since intruders can just
masquerade as FTP or
DNS by modifying their source port."
This implies that the hole in a packet filtered machine
exists if it has
allowed inbound DNS or FTP connections. I don't believe this
is true. I
think the hole only exists if the machine has allowed
outbound (ie client)
connections from the machine. For example if the machine
allowed outbound
DNS client requests to the world, using --source_port 53
would exploit the
hole.
Any comments would be appreciated.
Mike
--------------------------------------------------------------
-------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified
information security
professionals. Norwich University is fulfilling this demand
with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity
to earn your
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
--------------------------------------------------------------
--------------
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
