Re: nmap fun

[Chris Calabrese <christopher_calabrese () merck com>]

This is a consequence of the underlying way Guantlet
(and other commercial proxy-based firewalls, for that matter)
interfaces with the underlying OS and isn't so easy to change.

Basically, it inserts code into the underlying OS IP stack
that delivers packets destined for the "proxied" systems
to the proxies.  Since these proxies run as regular user-mode
programs, they can't examine their traffic without going through the
usual socket() or TLI API's, which means they can't reject traffic
without completing the TCP handshakes.

In order to change this, the kernel bits would have to implement
the rulesets, which would be much more complicated.  On the other
hand, there's something to be said for having the firewall intercede,
as it makes it more difficult for scanners to figure out what kind
of systems you're running, and therefore harder to find OS-specific
exploits.

Now, if you want to be scared....  Some proxy-based firewalls
will also deliver packets to user-level programs on the firewall
even if they're not firewall-proxies.  This lets you attach to any
network listeners on the firewall system, even if they're totally
insecure.  Sorry, but I am not at liberty to give out any more
details on this.  Suffice to say that you should try attacking
a firewall before you believe that it actually does something
useful.

Bret Watson wrote:

> Whilst we are looking at nmap.. Has anyone noticed that scanning an address
> range "protected" by Gauntlet 5.x , interesting things appear?
>
> Such as being able to identify all the ports that are open on the hosts
> behind the firewall?
>
> What makes it really interesting for me is that an Application proxy should
> never replies for ports that are not permitted, but what seems to happen is
> that if one makes a TCP connect to an address protected by Gauntlet and
> this port is available on the machine, then Gauntlet will tell you to go
> away, but if the port is not open on the machine behind the wall then
> Gauntlet will not respond at all...
>
> Thusly, one can do a TCP Connect scan of an address space covered by
> Gauntlet and get all the machines with their open ports - scary huh?
>
> This works on NT and Solaris under the latest version of Gauntlet. NAI has
> been asked (a couple of months ago even!) - no answer.
>
> Cheers,
>
> Bret
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

Attachment: christopher_calabrese.vcf
Description: Card for Chris Calabrese