Re: [fw-wiz] Firewalls that generate new packets..


On Tue, Nov 27, 2007 at 10:39:04PM -0500, jason@xxxxxxxxxx wrote:
If I opened up port 80 into a
web server and the state was tracked the reply packet would be able to
pass back out of the firewall without having to have a rule allowing
packets from the webserver sourced from port 80 out. Why should I need to
put two rules in (one for the incoming traffic, and one for the reply)
when I can rely on the state of the packet for the reply?

Who said, you can't? But how do you know that it's HTTP that
is flowing over port 80?

You should have <something> in place that enforces that it's HTTP
and not some propriatary encrypted data stream for e.g. a bot.
Or if we change the subject to egress filtering and "trusted"
internal users, how about a proprietary encrypted "Internet telephony"
application - hm, what product to pick as an example ...? ;-)

Of course, all sorts of applications can be made "firewall friendly"
and it's possible to tunnel IP through perfectly valid HTTP
or even DNS - but as Marcus put it lately, when he corrected me on
this list - why make it easier for the bad guys?

Firewalls have never been about "ports", yet the security industry
has brainwashed everone with half an understanding of how TCP/IP
works into believing they were.

My customers keep asking me things like "internal user A wants to
run application X, vendor says it uses port Y - is this port
dangerous or can we open it up?" Well ...

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
Gf: Jürgen Egeling AG Mannheim 108285
firewall-wizards mailing list

Relevant Pages

  • Re: port scan to juniper fw
    ... If the packet with SRC-IP a.b.c.d ... enters firewall via interface 'X' and the route on the firewall for ... the below default behavior of Juniper SSG for a port scan. ... Information Assurance Certification Review ...
  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
  • Re: Basic NAT / Firewall Question
    ... There are two basic types of NAT (Network Address Translation) which you ... NAPT simply maps port numbers to a given address. ... Your firewall will make a note from where the connection was ... with its own address and then sends this "new" packet out on its local ...
  • Re: FTP Window of opportunity?
    ... Your computer sent a SYN packet... ... a SYN/ACK back, ... > well as blocked by the firewall. ... > When I scan with ISS, the FTP port shows up. ...