Firewall Wizards mailing list archives
Re: FW-1 initiate connection rule
From: Lance Spitzner <lance () spitzner net>
Date: Fri, 8 Dec 2000 09:39:29 -0600 (CST)
On Fri, 8 Dec 2000, [iso-8859-1] Fr?d?ric FROISSART wrote:
This exposes FW-1 installations to risk. Attacks can be used against the firewall that are based on the firewall initiating connections (which would not be inspected). Examples include packets who's TTL expire at the firewall, causing the firewall to initiate a ICMP TTL error message which can be used to map firewall rulebases.Have you got other examples of similar attacks that are based on the firewall initiating connections?
This is the only one I have tested and confirmed. However, never doubt the creativity of the blackhat community. I'm sure other attacks exist, such as having the firewall initiate a specific DNS lookup, NTP updates, syslog messages, etc. All it depends on what functionality you expect of your firewall. As for the TTL rulebase mapping, that is a threat most common if the rulebase is NOT filtering pakcets initiated by the firewall. For more information on TTL risks involved, check out the utility 'firewalk'. I will be updating my "Auditing Your FW Setup" paper that details this methodology. hope this helps ... Lance Spitzner http://project.honeynet.org _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- FW-1 initiate connection rule Lance Spitzner (Dec 08)
- Re: FW-1 initiate connection rule Frédéric FROISSART (Dec 09)
- Re: FW-1 initiate connection rule Lance Spitzner (Dec 09)
- Re: FW-1 initiate connection rule Frédéric FROISSART (Dec 09)