Re: [fw-wiz] dirty packet tricks?

From: Stephen D. B. Wolthusen (wolt@igd.fhg.de)
Date: 07/11/02


To: firewall-wizards@honor.icsalabs.com
From: wolt@igd.fhg.de (Stephen D. B. Wolthusen)
Date: Thu Jul 11 16:50:13 2002

Hi,

Ryan Russell <ryan@securityfocus.com> writes:

[...]
> Wow, that's..not normal. OK. So, you want to build a hijacking router.
> So what do the route tables and subnet masks on the client machines look
> like, in theory? The clients have to believe that there is some route to
> the Internet, or they won't ever bother trying to get there. They either
> have to believe the Internet is all on the local segment (subnet mask
> 0.0.0.0, probably not workable..) or they have to think that it's through
> another router. I have to assume that if you don't want your transparent
> proxy thing to be the "official" router, then there must be another
> router, which means you must have multiple local subnets. Your firewall
> will have to have the ability to suck packets off all subnets you want to
> be able to reach the Internet, or have multiple ones, etc...

... phrased like that it is starting to sound a lot like a souped-up switch
(OK, multiport bridge). Sane switches treat multiple ARP responses (MAC
addresses) as fault conditions and isolate the port the offending frames
came from, so this probably won't go very far in most modern networks.

To catch all traffic (statically configured media address resolution tables
aren't that rare, it will save you a lot of headaches in some
fault-tolerant/clustered environments) and still meet the original
requirement, the firewall/monitor effectively has to act as a multiport
bridge (Lucent did this some years back and sell such a thing - if they're
still around by the time I'm writing this). This means the usual bandwidth
issues in switched/fabric environments, but the best bet probably hacking
up the switch OS, make port/VLAN mirroring a two-way street and then do
whatever you need on a host attached to the mirroring patch.

That's uglier than Saddam's hairy butt, and one of the reasons why
distributed firewalling/ID is probably the only way out of the bandwidth
mess (among others). Now there's some flame bait.

-- 
	later,
	Stephen
Fraunhofer-IGD                 | mailto:
Stephen Wolthusen              | wolt@igd.fhg.de
Fraunhoferstr. 5  	       | swolthusen@acm.org
64283 Darmstadt                | swolthusen@ieee.org
GERMANY                        | stephen@wolthusen.com
			       | 
Tel +49 (0) 6151 155 539       | Fax: +49 (0) 6151 155 499 
    +49 (0) 172 916 9883       |      +49 (0) 6245 905 366 


Relevant Pages

  • Re: looking for a hub or switch that can connect a VPN and apply firewall rules to all ports
    ... A switch would be best but a router would be better than a hub. ... Because a switch will create multiple collision domainsa router will create multiple collision and broadcast domains one per port. ...
    (Security-Basics)
  • Re: dual ethernet cable connections
    ... Or if you dislike the prospect of havig to run multiple long cables from ... the router, as nospam suggests, you can instead connect a switch to the ... switch to various machines/devices. ...
    (comp.sys.mac.system)
  • Re: [opensuse] SuSEfirewall2 and multiple ip addresses
    ... I'm aware that I could do this 'manually' using iptables, but I'd prefer to do it the 'SuSE way' using YaST or entries in /etc/sysconfig/SuSEfirewall2 - always assuming there is a SuSE way to do this :-) ... If your router has only 1 LAN Port then you will need a switch to provide multiple cables to each PC. ... You do NOT have to use an OpenSuse PC to hand out IP's, Let the router simply do it via NAT and DHCP. ...
    (SuSE)
  • Re: 3/16" dado problem
    ... using 3/16" masonite for drawer bottom. ... chipper plus one cardboard spacer. ... There are lots of things done with multiple passes on the radial arm saw. ... Maybe you could find a 3/16" router bit and use that to cut your dados. ...
    (rec.woodworking)
  • Re: Error 0x08004210A outlook 2003
    ... The only router I can reboot is the gateway, ... Yes multiple PC's on the network. ... All the outlook tests respond properly and ...
    (microsoft.public.outlook)