Re: [fw-wiz] CERT vulnerability note VU# 539363

From: Paul Robertson (proberts@patriot.net)
Date: 10/16/02 

From: Paul Robertson <proberts@patriot.net>
To: Frank Knobbe <fknobbe@knobbeits.com>
Date: Wed Oct 16 12:11:03 2002

On 16 Oct 2002, Frank Knobbe wrote:

> Not for inbound connections, but doesn't a stateful firewall prevent
> non-legit outbound connections? If the firewall protecting a web server

Not really...

> were stateless (read packet filter), the web server could establish
> connections to the outside with a source port of 80, and a backdoor
> would be able to connect to its master. However, if state is kept, and
> only inbound connections to port 80 are allowed, then the backdoor can
> not establish a connection to the outside using source port 80.

Outbound non-ack packets would stop this for a Web server, and if the
trojan is able to bind() to port 80 and service inbound requests (not that
it's not possible) without fooling the HTTP daemon, then methinks
filtering is the least of your problems.

> To me it seems that stateless access control only protects my side from
> incoming traffic, but I also want to enforce access control on outbound
> traffic. In order to distinquish between a valid response, and a new
> connection, isn't state helpful?

It can be, but potentially it can be a problem too- state tables can fill
up, where a stateless filter doesn't have that issue.

> I understand that I could filter any packets from the web server (in
> above example) by denying packets with SYN flag set, so maybe above rant
> is only valid for UDP. But in general I believe state is useful in
> access control. Or am I way off?

I find it slightly useful for UDP, but overall think the added complexity
doesn't bring much in the way of protection if you carefully design your
architecture.

The performance information that this thread has started IS interesting,
and it's started me wondering about the whole "filter on a router vs.
firewall" thing again.

Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: D-Link 604 Router
    ... > I can filter outbound connections using URL filtering using something ... > firewall software or hardware and no router, ...
    (comp.security.firewalls)
  • Re: HTTP on port 8080 ??? Why?
    ... an attack that wouldn't work on port 80 but work on port 8080. ... way that I could think of is if the client handles outbound connection ... connections to port 80 are HTTP connections, ... you likely would not filter it in this manner. ...
    (comp.os.linux.networking)
  • Newsman Pro 2.6 Released
    ... Fixed a bug in the MySQL database components that caused ... Added a timer to the hints in the Connections view to ... Optimized the "Get Headers By Date" search algorithm ... Fixed a bug in the Filter Builder that prevented the ...
    (news.software.readers)
  • Re: Network Firewall/Routing Solution
    ... > for a good solution to route inbound and outbound traffic. ... > firewall combo boxes that linksys sells, and I really don't want to run ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
    (comp.security.firewalls)
  • Re: what should I do when....
    ... You didn't answer my initial question which was, can you show me a firewall that does *secure* a network? ... The fact of the matter is that *most* businesses do not restrict outbound SSL traffic and even less of them decrypt and re-encrypt traffic for the sake of outbound monitoring. ... Not to mention not all of our outbound connections are established over port 443, we can use any port, hell we can even use ICMP or UDP. ... exploited and their computer connected back to me over https. ...
    (Security-Basics)