Re: Firewalls: what's the use?

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 12/14/03 

Date: Sun, 14 Dec 2003 13:57:01 GMT

en_hemlig_person@hotmail.com (Gabriel) said:
>> ICMP, which does not use ports? A firewall is the simplest way to
>> control the types of ICMP message sent and received.
>
>But how much damage can ICMP messages do? Can they be used to crack my
>server? Do I really need to implement a firewall just to prevent ICMP?

Not crack, perhaps -- but there has been cases of sloppily coded
network stacks in some OSes, allowing a specifically crafted ICMP
packet to crash the OS.

>> A TCP or UDP message to a port which is not 'open' still traverses
>> parts of your system software and can be used to acquire information
>> about your machine which may help in a determined port 80 or port 22
>> attack.
>
>I am aware of the logging possibility that comes with a firewall and
>logging is always good but I'm not sure that I fully understand the
>use of "prevention illegal TCP messages".

Different OSes respond differently to some TCP and UDP packets,
especially in cases where the packet was destined to a port where no
program was listening. So, when no program is listening on a port where
a packet arrives, the OS must generate the response packet telling that
there was no program in that port. What all goes in that response packet
differs a bit between different OSes and OS versions. Also, specifically
crafted packets (typically packets that are somehow "illegal" for the
current state of the connection, such as packet requesting a close of
the connection where no connection exists), generate very varying
responses from different OSes (because these are things that don't happen
in the ideal world, there's no set standard on how the OSes should respond
to these invalid situations -- so, the behaviour in these situations may
give an attacker enough information to recignise the OS of the server).

>Do you mean that with a firewall I can prevent people from seeing that
>I have port 80 and 22 opened if they do a port scan?

So, 22 and 80 will always show as 'open', if they are open. But consider
that a remotely exploitable problem is discovered in the combination of
OS and WWW server you're running. Now, your WWW server is configured not
to tell which OS you're running - but the rest of your machine may still
tell a potential attacker what OS you're running, so disabling that info
at your WWW server didn't actually help you. And this is one place where
a firewall may help you: you can configure your system not to respond at
all when a packet arrives for a port where no program is listening. But
of course, this doesn't chnage the fact that you still would be vulnerable
for the exploit -- someone could try running the exploit blindly - just
to see whether it works. Likewise, you may drop to floor all packets
coming into your service ports where the packet is not valid for the
current state of the session (also preventing OS information leakage).

>I've made some changes to apache so that it reveals as little about
>itself as possible, but it still reveals to much in my opinion.

You might get better limitations by recompiling the Apache. What
is revealed by the web server is hard to cover later. 

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Relevant Pages

  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    (Pen-Test)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Basic NAT / Firewall Question
    ... There are two basic types of NAT (Network Address Translation) which you ... NAPT simply maps port numbers to a given address. ... Your firewall will make a note from where the connection was ... with its own address and then sends this "new" packet out on its local ...
    (Security-Basics)
  • Re: FTP Window of opportunity?
    ... Your computer sent a SYN packet... ... a SYN/ACK back, ... > well as blocked by the firewall. ... > When I scan with ISS, the FTP port shows up. ...
    (Pen-Test)
  • Re: AD what tcp/ip port or registry settings?
    ... Assuming that you applied the TCP/IP port value to all DC/GCs and rebooted ... I'm still swaying toward a hang-up on the member clients not being ... ICMP did not work over our Frame over ATM links. ... > on the both DC which are also behind the firewall. ...
    (microsoft.public.windows.server.active_directory)