Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Borderware Ping Server

RE: Borderware Ping Server

From: Ofir Arkin <ofir_at_sys-security.com>
Date: Sat, 20 Oct 2001 20:51:26 +0200

Marcus,

Some old timers did not understand what I mean... I guess.

We let the FW deal with only what we teach him to recognized, and what
is a legitimate IPv4 traffic. This mean that if the firewall receives a
packet with an Unused bit set, which is against the RFCs recommendations
it drops it instantly because it is not a legit IPv4 traffic. No
questions asked. Another example might be with ICMP request packets,
they need to be with a certain length. Some of those should not cross a
Router, etc, etc, etc, and the number of examples we can have is huge.
Weird combinations of the TOS field, weird combinations of the IP
Options field, and more.

I was demonstrating this in an old paper I wrote ("Unverified Fields - A
Problem with Firewalls & Firewall Technology Today", available from
http://www.sys-security.com/html/papers.html).

It is more than common knowledge that today's firewalls just do not
understand IPv4 as they should. They overlook some fields and look at
the obvious were we expect them to look for the not expected.

What we need is a device which understands IPv4, and the applications,
not a dumb tunnel.

Ofir Arkin [ofir_at_sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: firewall-wizards-admin_at_nfr.com
[mailto:firewall-wizards-admin_at_nfr.com] On Behalf Of Marcus J. Ranum
Sent: ו 19 אוקטובר 2001 4:16
To: Ofir Arkin; 'Don Ng'; firewall-wizards_at_nfr.com
Subject: RE: [fw-wiz] Borderware Ping Server

Ofir Arkin wrote:
>Another good design decision might be - we know what is allowed
>everything else we trash...

You mean "that which is not expressly permitted is denied"?

Great idea!!! I know a lot of old-timers been saying that kind of thing
for years. ;)

mjr. 

---
Marcus J. Ranum     Chief Technology Officer, NFR Security Inc.
Work:  http://www.nfr.com
Play: http://www.ranum.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 23 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]