Re: Avoiding tunnels
- From: Neil <neil@xxxxxxxxxx>
- Date: Thu, 02 Mar 2006 17:25:45 +0530
David Gillett wrote:
I think if you tell the firewall only to accept HTTP on port
80, that'll do the trick (requires stateful inspecting firewall).
Unfortunately, that's not what stateful inspection is.
When a packet filter receives a packet, it looks at the source,
destination, port numbers and flags, and decides to permit or
drop the packet *in isolation*.
A *stateful* packet filter maintains a list of current active
connections. A packet that is appropriate for the "state" of a
current connection sails on through. (It might change the state
of the connection-table entry, if, for instance, the FIN or RST
flags are set....)
That leaves four other cases to be dealt with:
1. This packet is trying to start a new connection, which matches
a "permit" rule. Add the connection (in its initial state) to the
connection table.
2. This packet is trying to start a new connection, which matches
a deny/drop/reject rule.
3. This packet isn't trying to start a new connection (at least by
normal rules...), and doesn't match an existing connection in the
table. A non-stateful packet filter would have let this by, but
by being stateful, we can block it. [I see an awful lot of unsolicited
SYN-ACK packets, and sometimes applications seem to be willing to
accept that as a connection....]
4. Special protocols, such as FTP. Having established initial
contact (see #1), client and server agree to begin additional
connections on arbitrary ports. With a non-stateful packet filter,
the only way I can permit these protocols is by leaving huge swaths
of open ports. But a stateful packet-inspection implementation can
"listen in" on the conversation and make an appropriate entry in the
connection table (actually, usually, a temporary entry in the "permit"
rulebase).
You may perhaps have been thinking of "deep inspection", where the
firewall knows about protocol details and so can, for instance, verify
that that stuff using port 80 is really HTTP.
David Gillett
I was (thinking of deep inspection). My mistake, thanks for the correction.
--
Neil.
http://voidfx.net
"I'm not here. You're not there. Don't leave a message. There is no beep."
--Jean Paul Satre's answering machine.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- RE: Avoiding tunnels
- From: David Gillett
- RE: Avoiding tunnels
- Prev by Date: Re: Zonealarm+Windows Firewall
- Next by Date: RE: Avoiding tunnels
- Previous by thread: RE: Avoiding tunnels
- Next by thread: RE: Avoiding tunnels
- Index(es):
Relevant Pages
|
