Firewall Wizards mailing list archives
RE: Inappropriate TCP Resets Considered Harmful
From: Ben Nagy <ben.nagy () marconi com au>
Date: Tue, 15 May 2001 16:01:36 +1000
[Crispin]
<an asside> I have been following this thread with great interest, as this cuts to the core of a common scheme of firewall configurations. One family of opinion states that the firewall should provide an absolute minimum of information regarding its configuration and state.
Being able to have your firewall fingerprinted is probably not optimal, but not an overriding concern, IMO. Going too far down that path leads to "Security by Obscurity" sophistry. [...]
From a security point of view, I believe that it is perfectly valid for a firewall to deny or reject any traffic that is not _PRE-APPROVED_. i.e. if the firewall receives ECN traffic, and the organisation has not said "We want to allow ECN", then the firewall administrator would be negligent if this traffic was not dropped.
I agree. This seems to be a common opinion among firewall people. That would tend to lead me to assume that the only reason that ECN works for such a large percentage of hosts is because many firewalls so not adequately enforce RFC compliance in the TCP stream, not because the administrators have taken a lenient security stance.
-----Original Message----- From: Ben Nagy [mailto:ben.nagy () marconi com au] Sent: Monday, 14 May 2001 9:43 AM To: 'Darren Reed' Why is a retry bad? If I were writing firewall (heaven forbid!) I'd treat ECN packets either by silently discarding them or by sending an ICMP error.This is one area in which I disagree. One network scanning option is to send a packet with the high-bit tcp flags set.
You mean IP Options, right?
How can I tell if this packet is ECN or scanning?
You can't. Oh wait, that question was rhetorical, right? 8) [...] [Crispin votes for TCP RST as a response to ECN-TCP packets]
(Mind you, the argument changes when talking non-TCP :-)
OK - what's your pick for non-TCP? That's going to be relevant, as well, and variation in the handling of ECN for other IP protocols is almost certainly going to lead to fingerprinting heaven.
Regards,
Crispin Harris
DeMorgan Information Security Specialists
Cheers, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E30 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FW Sequence Number based statefulness, (continued)
- Re: FW Sequence Number based statefulness Carson Gaspar (May 13)
- RE: Inappropriate TCP Resets Considered Harmful dave . goldsmith (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 11)
- RE: Inappropriate TCP Resets Considered Harmful Ofir Arkin (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Sally Floyd (May 13)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 14)
- Re: Inappropriate TCP Resets Considered Harmful Darren Reed (May 14)
- RE: Inappropriate TCP Resets Considered Harmful Ben Nagy (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)
- RE: Inappropriate TCP Resets Considered Harmful Crispin Harris (May 16)