Re: [fw-wiz] The Mathematics of Relative Security

• Previous message: Paul D. Robertson: "RE: [fw-wiz] Log checking?"
• In reply to: Mark Tinberg: "Re: [fw-wiz] The Mathematics of Relative Security"
• Next in thread: Adam Shostack: "Re: [fw-wiz] The Mathematics of Relative Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Mark Tinberg <mtinberg@securepipe.com>
Date: Thu, 30 Sep 2004 02:21:06 -0400 (EDT)

On Sat, 25 Sep 2004, Mark Tinberg wrote:

> On Tue, 21 Sep 2004, Chris Pugrud wrote:
>
> > TCP also introduces a wrinkle that is not easily covered by the set theory I
> > have learned, or I'm missing something - the concept of one-way membership. If
>
> I may wish to point out at this point that TCP connections are generally
> bidirectional. A may only be able to initiate to B, but once that
> connection is established B can send potentially malicious data back to A.
> See vulnerabilities in web client software for an example of this
> practice.

info flow is dual, but, there is still the concept of the controlling
terminal, like is shell related access. Which seems to be defined by the
ability of sending the original syn packet for setup. so, a good firewal
setup can minimize the damage an overflow might have in such a setup, or
even a trojan/backdoor, or am I way off base here?

Thanks,

Ron DuFresne

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "RE: [fw-wiz] Log checking?"
• In reply to: Mark Tinberg: "Re: [fw-wiz] The Mathematics of Relative Security"
• Next in thread: Adam Shostack: "Re: [fw-wiz] The Mathematics of Relative Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ipfw flooding in /var/log/ipfw.log ... > setup is available only for TCP connections. ... > ipfw add allow log logamount 0 tcp from any to any setup ... (freebsd-questions) Re: IPFW: Blocking me out. How to debug? ... add allow tcp from any to any ftp in setup ... Passive mode needs allowing connections to this port range ... add deny log ip from any to 0.0.0.0/8 in ... (freebsd-questions) Re: IPFW: Blocking me out. How to debug? ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any ssh in setup ... someone else used 'deny log ip from any to any recv all' ... (freebsd-questions) Re: IPFW: Blocking me out. How to debug? ... allow log tcp from any to any out established ... add allow udp from any to any domain out ... add allow tcp from any to any ssh in setup ... $add deny log tcp from any to any in via $setup ... (freebsd-questions) Re: IPFW: Blocking me out. How to debug? ... slow down and deny packets to buffer overflow enabled daemons ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any https in setup ... (FreeBSD-Security)