Re: [fw-wiz] CERT vulnerability note VU# 539363

From: Daniel Hartmeier (daniel@benzedrine.cx)
Date: 10/16/02 

From: Daniel Hartmeier <daniel@benzedrine.cx>
To: "Paul D. Robertson" <proberts@patriot.net>
Date: Wed Oct 16 10:07:17 2002

On Wed, Oct 16, 2002 at 09:36:06AM -0400, Paul D. Robertson wrote:

> If you're hosting public resources behind the same firewall that's
> protecting everything else in your enterprise, you've probably made a
> questionable architectural decision. If you're keeping state on say
> inbound SMTP traffic, the question is "Why?" If the 'Net as a whole can
> connect to something, the state itself isn't going to do much good. If
> you're trying to rewrite sequence numbers because of a host that talks to
> the public with high predeictability, again you're probably made a
> questionable architectural decision.

Keeping state can have performance benefits. Depending on your rule set,
associating a packet with a state entry is cheaper than evaluating the
rules. Keeping state does not 'just' increase the quality of filter
decisions.

> Public-talking hosts should be protectable with simple non-stateful packet
> filtering rules- *especially* those which allow the untrusted side to
> initiate connections.

In my experience, allowing to specify a maximum for the number of states
created by a filter rule is very useful in this case (if you want to
keep state on all connections, and everything passes through the same
firewall). While an attacker can exhaust the individual maxima for
incoming connections to different services, other kinds of connections
(like outgoing connections, or connections the attacker can't establish)
are not affected.

Daniel

Relevant Pages

  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)
  • Re: Black Ice confesses faulty program!!!
    ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    (comp.security.firewalls)
  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: Networking/Security Question...
    ... The router itself will be a Cisco 1721. ... >setup is very simple... ... XP sp2 having the firewall on by default. ... > # but deny established connections that don't have a dynamic rule. ...
    (freebsd-net)
  • Re: XPsp2 firewall - bug? - disables on certain networks
    ... Firewall Settings for Microsoft Windows XP with Service Pack 2" document ... Even if the DNS suffix is different, the computer can get a new policy from ... manually enter the DNS server and suffix settings for all connections. ...
    (microsoft.public.windowsxp.security_admin)