Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: FW-1 initiate connection rule

Re: FW-1 initiate connection rule

From: Frédéric FROISSART <frederic.froissart_at_icdc.caissedesdepots.fr>
Date: Fri, 08 Dec 2000 11:32:56 +0100

Hi everybody,

Lance Spitzner wrote:

> Just thought of a cool rule hack for CheckPoint
> FW-1 firewalls. Many of you may have thought of this
> before, but I haven't seen it discussed.
>
> 1. PROBLEM
> -----------
> Many FW-1 installations only inspect inbound packets as
> opposed to eitherbound. This is done on purpose. For
> large, complex rulebases, eitherbound rule sets can be
> difficult to troubleshoot. Many organizations choose to
> inspect packets only inbound as it is far easier to maintain
> and troubleshoot.
>
> This exposes FW-1 installations to risk. Attacks can be used
> against the firewall that are based on the firewall initiating
> connections (which would not be inspected). Examples include
> packets who's TTL expire at the firewall, causing the firewall
> to initiate a ICMP TTL error message which can be used to map
> firewall rulebases.

Have you got other examples of similar attacks that are based on the firewall
initiating connections?

Fred

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Dec 09 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]