Re: [fw-wiz] CERT vulnerability note VU# 539363

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 10/16/02

• Next message: Mikael Olsson: "Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)"
• Previous message: R. DuFresne: "RE: [fw-wiz] CERT vulnerability note VU# 539363"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Next in thread: Paul Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: Paul Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Frank Knobbe <fknobbe@knobbeits.com>
To: "Paul D. Robertson" <proberts@patriot.net>
Date: Wed Oct 16 12:02:31 2002

On Wed, 2002-10-16 at 08:36, Paul D. Robertson wrote:
> [...]
> If you're hosting public resources behind the same firewall that's
> protecting everything else in your enterprise, you've probably made a
> questionable architectural decision. If you're keeping state on say
> inbound SMTP traffic, the question is "Why?" If the 'Net as a whole can
> connect to something, the state itself isn't going to do much good.

Not for inbound connections, but doesn't a stateful firewall prevent
non-legit outbound connections? If the firewall protecting a web server
were stateless (read packet filter), the web server could establish
connections to the outside with a source port of 80, and a backdoor
would be able to connect to its master. However, if state is kept, and
only inbound connections to port 80 are allowed, then the backdoor can
not establish a connection to the outside using source port 80.

To me it seems that stateless access control only protects my side from
incoming traffic, but I also want to enforce access control on outbound
traffic. In order to distinquish between a valid response, and a new
connection, isn't state helpful?

I understand that I could filter any packets from the web server (in
above example) by denying packets with SYN flag set, so maybe above rant
is only valid for UDP. But in general I believe state is useful in
access control. Or am I way off?

Regards,
Frank

---

• application/pgp-signature attachment: This is a digitally signed message part

---

• Next message: Mikael Olsson: "Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)"
• Previous message: R. DuFresne: "RE: [fw-wiz] CERT vulnerability note VU# 539363"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Next in thread: Paul Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Reply: Paul Robertson: "Re: [fw-wiz] CERT vulnerability note VU# 539363"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Protecting PIX Firewall at the Perimeter Router ... Firewall wall at the Perimeter Router Level. ... PIX will be doing NAT, protecting DMZ machines, and IPSec connections. ... (Security-Basics) Re: Protecting PIX Firewall at the Perimeter Router ... Put an OpenBSD firewall in front of the PIX. ... >> PIX will be doing NAT, protecting DMZ machines, and IPSec connections. ... (Security-Basics) Re: What is the Pattern here ? ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ... (comp.security.firewalls) Re: Black Ice confesses faulty program!!! ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ... (comp.security.firewalls) Re: Port 135 ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)