On Fri, 8 Dec 2000, [iso-8859-1] Frédéric FROISSART wrote:
> > This exposes FW-1 installations to risk. Attacks can be used
> > against the firewall that are based on the firewall initiating
> > connections (which would not be inspected). Examples include
> > packets who's TTL expire at the firewall, causing the firewall
> > to initiate a ICMP TTL error message which can be used to map
> > firewall rulebases.
>
> Have you got other examples of similar attacks that are based on the firewall
> initiating connections?
This is the only one I have tested and confirmed. However, never doubt
the creativity of the blackhat community. I'm sure other attacks
exist, such as having the firewall initiate a specific DNS lookup,
NTP updates, syslog messages, etc. All it depends on what functionality
you expect of your firewall. As for the TTL rulebase mapping, that is
a threat most common if the rulebase is NOT filtering pakcets initiated
by the firewall. For more information on TTL risks involved, check out
the utility 'firewalk'. I will be updating my "Auditing Your FW Setup"
paper that details this methodology.
hope this helps ...
Lance Spitzner
http://project.honeynet.org
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Dec 09 2000
Intro
