Re: statefull inspection FW and hackers

David,
depending on the target OS, a FIN scan can reveal open ports.
Basically an unsolliceted FIN packet will be:

- ignored on an open port (RFC 793)

- while on a closed port that will trigger a RST/ACK back

In turn that will give to the attacker a way to understand what ports
are actually available on the target.

Things is, a FIN scan is not likelly to be seen and logged by a
firewall which si not stateful.

Andrea

On Wed, Aug 20, 2008 at 6:15 PM, David Gillett <gillettdavid@xxxxxxxx> wrote:
Statefulness doesn't help with SYN port scans -- that much is correct.

However, some attacks may depend on violating the normal state transitions
or sequencing of TCP traffic, or on scanning with other sorts of packets --
I see unsolicited SYN-ACK packets all the time. (Those are probably just
responses to spoofed SYNs, but I can't know that for certain. I'm not sure
what a scan with RST or FIN packets would reveal.)

Most of the stateful firewalls I've seen also do inspection of FTP control

traffic, so that FTP data sessions on negotiated ports can be allowed
without
leaving masses of high-numbered ports open all the time. An awful lot of
junk/noise can be filtered out by that.

David Gillett


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Juan B
Sent: Tuesday, August 19, 2008 10:05 PM
To: security basics
Subject: statefull inspection FW and hackers



Hi,

Can someone please explain why statefull inspection Fw helps
against hackers? I know that those FW keep track of the
sessions but I dont understand how the feature might help
against a port scan from the internet or other ways to
mitigate hackers attacks.

Thanks

Juan











Relevant Pages

  • Re: Plausible reasons for http access?
    ... snip some important but volumous and onorous content...to free up your time while helping me.. ... provides transportation service - in this case, transporting packets. ... Many instances have different open 'ports' numbered anything but 80,110,25. ... I wonder though if Spybots utility has failed to differentiate a proxy port and an actual open ethernet-internet port and is telling me I have "open ports" but no tcp/ip packets are acknowledged unless specificaly allowed? ...
    (comp.security.misc)
  • Re: AV showing unauthorized access attempts after installing IE8
    ... NAV is showing in its ... history "unauthorized access blocked" all day ... one or more ports open that is reacing to queies; ... One of the tests is for open ports. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: SMB File Sharing XP SP2
    ... i went straight to manually configuring my ports to allow file sharing ... > to manually configure the open ports. ... it's trying to automate ...
    (microsoft.public.windowsxp.general)
  • Re: Concerns about wording of man blackhole
    ... As open ports still show up as open I don't see the protection. ... What does this have to do with "blackhole". ... skillful intruders leapfrog around the firewall by abusing the HTTP CONNECT ...
    (freebsd-questions)
  • Re: Ports to close on firewall in an Active Directory Environment
    ... Microsoft Windows MVP - Active Directory ... >> But I still believe the Swiss Cheese thing with all those open ports. ...
    (microsoft.public.win2000.security)