Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: Inappropriate TCP Resets Considered Harmful
From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Thu, 17 May 2001 10:01:13 +1000


 This correspondence is for the named person's use only.  It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission.  If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender.  You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.

 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.

 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.


(Hoping that the organisations Anti-Virus software won't do silly things
with attachments this time :-)

-----Original Message-----
From: Ben Nagy [mailto:ben.nagy () marconi com au]
Sent: Tuesday, 15 May 2001 4:02 PM
Subject: RE: [fw-wiz] Inappropriate TCP Resets Considered Harmful

One family of opinion states that the firewall should provide 
an absolute
minimum of information regarding its configuration and state.

Being able to have your firewall fingerprinted is probably 
not optimal, but
not an overriding concern, IMO. Going too far down that path leads to
"Security by Obscurity" sophistry.

I don't believe that obscurity is a valid security concept, however
"information hiding" (obscuring) CAN be used to increase security.
(Otherwise pre-shared secrets wouldn't work...)

From a security point of view, I believe that it is perfectly 
valid for a
firewall to deny or reject any traffic that is not 
_PRE-APPROVED_. i.e. if
the firewall receives ECN traffic, and the organisation has 
not said "We
want to allow ECN", then the firewall administrator would be 
negligent if
this traffic was not dropped.

I agree. This seems to be a common opinion among firewall 

And not just firewall people. Talk to any trained Security Officer, and they
will tell you that the Primary Tenet of Operational Security (in a security
sensitive situation) is "Prevent that which is not explicitly allowed".
[Deem the standard disclaimer about the inverse situation included]

That would tend to lead me to assume that the only reason that 
ECN works for such a large percentage of hosts is because many 
firewalls so not adequately enforce RFC compliance in the TCP 
stream, not because the administrators have taken a lenient 
security stance.

Some-Some. My experience would tend to say that for "Highly-Competant
Security Professionals", that is the case, however I have found that the
vast majority of Firewall Administrators are NOT Security Professionals....

[Crispin votes for TCP RST as a response to ECN-TCP packets]
(Mind you, the argument changes when talking non-TCP :-)

OK - what's your pick for non-TCP? 

The RST mechanism is only appropriate when dealing with TCP streams. My
basic argument doesn't change: "I believe that session/connection/packet
rejections should be handled in the same way regardless of whether it was a
'Deny by rule', 'Inappropriate Options', or 'Host/Service not available'.

UDP doesn't have a RST mechanism. 
        ICMP Port Unreachable
ICMP doesn't require a RST mechanism. 
IP other protocols
        <?help? Don't have an answer for this>

That's going to be relevant, as well, and variation in the 
handling of ECN for other IP protocols is almost certainly
going to lead to fingerprinting heaven.

What a wonderful thought. <wry grimace>
        Crispin Harris
        DeMorgan Information Security Specialists

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]