Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: TTL, works with Cisco ACL's to :)
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 11 Nov 2000 01:15:59 +0200

Further more,

When the filtering device is generating the ICMP Error messages, in this
it will give us a clear indication about the OS it is installed on.

If you do not block the error messages than even if you have "transparent"
networking or filtering
devices along the way to the target they are exposed easily when you are
using Firewalk like technique
with an allowed traffic. For example a reverse proxy transparent to the
void. And there are other examples.

Its simply like Lance indicated, block the ICMP error messages from the
filtering device as well.
With Check Point Firewall-1 do 2 mandatory rules: First, do not allow any
traffic to the firewall itself, Second one
will be block any ICMP Error message coming from the filtering device to
anywhere (yes anywhere! Internal
and External). Put those as rule 1 and rule 2.

Anotehr problem would be if the filtering device spoofs replies for machines
it is protecting. This can
lead to the discovery of the OS the filtering device is using as well.

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Lance Spitzner
Sent: Friday, November 10, 2000 7:24 AM
To: Alex Goldney
Cc: nmap-hackers () insecure org; firewall-wizards () nfr com
Subject: Re: [fw-wiz] TTL, works with Cisco ACL's to :)

On Thu, 9 Nov 2000, Alex Goldney wrote:

I know a lot of sites don't do good egress filtering, and I guess that is
the point that needs to be hammered home.....

Actually many sites do have egress filtering.  However, the filtering device
is filtering outbound traffic generated by the internal network.  What many
sites are NOT doing is egress filtering of traffic generated by the
device itself.  The filtering device is trusted, so it is allowed to
and send any traffic it wants to.  That is why I belive the use of TTL
port scans can be effective against many filtering devices.

On Thu, 9 Nov 2000, Alex Goldney wrote:

OK, so you aren't blocking any ICMP packets with access-lists.
That should avoid the problem, no?  Of course, it can be considered
a bit unfriendly to block the lot.

PATH MTU discovery stuff should be allowed at least in general.  I guess
that opens up the possiblility for the same type of attack if the MTU
one of your routers links is less than the MTU of the incoming internet
link.  This case should be pretty rare though.

Keep in mind, many Firewalls/Screening Routers do not block ICMP error
messages.  Those that do block ICMP error messages block them inbound from
the untrusted networks, such as the Internet, or block them inbound from
internal networks.  However, most rulebases/ACLs do NOT block ICMP error
messages generated by the filtering device itself.

Keep in mind, this is a generalization based on my experience.


Lance Spitzner

firewall-wizards mailing list
firewall-wizards () nfr com

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]