Re: Packet Blocking a.k.a. BlackICE
From: bacano (bacano@esoterica.pt)Date: 08/24/01
- Previous message: Robert Graham: "RE: Packet Blocking a.k.a. BlackICE"
- In reply to: Robert Graham: "RE: Packet Blocking a.k.a. BlackICE"
- Next in thread: RAGHAVENDRAN H.: "RE: Packet Blocking a.k.a. BlackICE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <000e01c12c24$0369e180$c60116c3@piii550> From: "bacano" <bacano@esoterica.pt> To: <focus-ids@securityfocus.com> Subject: Re: Packet Blocking a.k.a. BlackICE Date: Thu, 23 Aug 2001 23:35:09 +0100
From: "Robert Graham" <robert_david_graham@yahoo.com>
> This is a simplification of the stack. There is actually a lot more
> interesting stuff you can do to interfer with networking. For example,
> Microsoft has a new firewalling API that taps directly into the TCP/IP
> stack, but that only works on Win2k. WinXP has a bunch of new
> firewalling stuff that I don't understand yet.
Seems like this new WinXP firewall is a step back, since this will only work
against inbound attacks, without outbound protection.
http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/security/WindowsX
PSecurity.doc
(...)
"How the Internet Connection Firewall Works
The Windows XP ICF makes use of active packet filtering, which means that
ports on the firewall are dynamically opened only for as long as needed to
enable you to access the services you're interested in. This type of
firewall technology, which is usually associated with more sophisticated
enterprise firewalls, prevents would-be hackers from scanning your computer'
s ports and resources-including file and printer shares. This significantly
reduces the threat of external attacks. The ICF is enabled on a
per-connection basis."
(...)
So, what this active packet filtering can be, on the API level?
(...)
"Windows XP allows you to open holes in the firewall that allow traffic on
specific ports. This is called port mapping."
(...)
I'm afraid that this words will became famous :>
(...)
When enabled, this stateful filter blocks all unsolicited connections
originating from the public network interface. To accomplish this, the ICF
uses the Network Address Translation (NAT) flow table and validates any
incoming flow against the entries in the NAT flow table. Incoming data flows
are only allowed if there is an existing NAT flow table mapping that
originated from the firewall system or from within the internal protected
network. In other words, if the network communication did not originate
within the protected network, the incoming data will be dropped.
(...)
Will this work ok with the WindowsXP IPsec?
http://www.microsoft.com/windowsxp/pro/techinfo/howitworks/networking/Networ
kingInWindowsXP.doc
(...)
Windows XP includes components that detect information about the network the
system is attached to. This allows for seamless configuration of the network
stack for that location. This information is also made available through a
Windows Sockets API, allowing applications to retrieve information about the
current network or be notified when the network information changes.
(...)
So, the IDS's for XP will play here?
(...)
Additional Microsoft extensions to Windows Sockets have been added to
Windows XP. This includes ConnectEx() - Used to send a block of data after
establishing a connection and TransmitPackets() - Used to transmit in memory
and/or file data over a connected socket.
(...)
with this?
http://www.microsoft.com/hwdev/network/NDIS51.htm
http://www.microsoft.com/hwdev/network/rmNDIS.htm
And about the new NDIS 5.1 and Remote NDIS ... can we expect from here any
good news for new IDS developments?
Regarding this questions what the IDS developers around feel like to
comment?
[ ]'s bacano
- Previous message: Robert Graham: "RE: Packet Blocking a.k.a. BlackICE"
- In reply to: Robert Graham: "RE: Packet Blocking a.k.a. BlackICE"
- Next in thread: RAGHAVENDRAN H.: "RE: Packet Blocking a.k.a. BlackICE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
