Re: Visnetic and 8signs firewall LOOPHOLE Read....

• Previous message: Zenner: "Re: Check Point FireWall-1 and CCSA"
• In reply to: Charlie C: "Visnetic and 8signs firewall LOOPHOLE Read...."
• Next in thread: James Grant: "Re: Visnetic and 8signs firewall LOOPHOLE Read...."
• Reply: James Grant: "Re: Visnetic and 8signs firewall LOOPHOLE Read...."
• Reply: Charlie C: "Re: Visnetic and 8signs firewall LOOPHOLE Read...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Oct 2003 15:52:23 GMT

Charlie C wrote:
>
> http://www.safehack.com/Advisory/Visnetic_Bypass_BanList.html
>
> The above explains the exploit. Is this true????

>From what he wrote, there's nothing in this.

>Bypassing Visnetic BAN List when doing Port Scan

"Bypassing" implies you are passing by something, makes it sound like
you are getting through something. Dramatic words but empty. He
has explained (Tracker-style) a method of avoiding being banned.

>Attack type: Bypassing Firewall Rules

Nothing in this bypasses any rules.

>OH, Last week I called Visnetic to report about the bug that kill IIS6
>Visnetic_Kill_IIS6.html, and guess what ? they wanted me to PAY for a
>TAG tech ticket. I said I am just reporting bug in your Firewall, she
>said sir you Have to pay for a ticket, I said fine and I hang-up .

I will ask Deerfield.com about this.
I don't believe it is their policy to charge for bug reports.
They have a Web Forum (http://webboard.deerfield.com/login) for all
the products they sell and people regularly ask questions and report
problems without paying a cent. I follow the VisNetic Firewall forum
and answer questions the same day.

Also, 8Signs has several avenues for reporting bugs and asking
questions. NtWaKO didn't contact 8Signs.

Having said that, this person did not find a bug.

Here is the meat of his "exploit":

>If you scan a box WITHOUT any delay you will get added to BAN LIST.
>But if you use a delay in your scan you wont get added to the ban list.
>The delay that worked for me was 20000ms.

This is not news.
Anyone with a basic understanding of port scans is familiar with
the idea that they are harder to detect if spread over a longer
time period. Also, VisNetic Firewall lets you control the time
period between probes. From the Port Scan/Properties control screen:

+--Time Limit--------------------------------------------------------+
|Set the maximum time between probes for them to count as a port scan|
|(min. 1 second). A low number will miss slow scans, but may reduce |
|false alarms. A high number may generate false alarms. |
| |
|Maximum time between probes: [ ] (seconds) [Default] |
+--------------------------------------------------------------------+

If NtWaKO had increased the time limit, the 20000 ms port scan
would have been caught.

The product clearly explains the possibility of missing slow port
scans and lets you control the time limit used. Also, the help file
explains the feature. NtWaKO could not have read the help file or
he would not have considered this a bug.

>Another Method to scan the box without getting added to BAN list.

Another misinterpretation of the results...

>What I done a DOS attacks on the firewall Remote admin Port 8519
>sure the firewall was logging all these request but in mean time it was
>not able to detect my scan. I have done the scan in the same time as the
>the DOS attack.
>
>Of course the scanner was able to report the Open Ports.

Then he shows a nice picture of UDP packets getting logged (the remote
admin uses TCP).

>Why this worked ?

What worked?
He shows and says nothing about anything working.
I suspect he's implying he did his scan and wasn't added to the Ban
List.

>The firewall is not able to do 100 % packet filtering.

Wrong.
The firewall filtered 100% of the packets that were received.
Not all the packets that were sent were necessarily recieved by
the target system. This is an important area where ignorant people
make ignorant claims. They think that if the packet rate gets high
enough, a firewall "just can't keep up" and packets get past.
Years ago, a person discredited ConSeal PC Firewall saying it
couldn't possibly be useful during a flood because "just like a
river overflowing its banks", during a flood the firewall would
let packets past.

When packet rates get too high for the receiving system, it is the
network card's device driver that drops packets. The network card
will receive each packet it is programmed to receive and tell the
operating system (I'm talking Windows, which VisNetic Firewall
runs on) it has one. If the operating system has time, it will accept
the packet. If the operating system is busy and does not accept the
packet before another one arrives, the network card driver must
discard the packet and report the newer one.

There is no overflow.
There is no getting past.
There are no packets not getting filtered by the firewall.
The firewall inserts itself between the operating system and the
netword card's device drivers such that every single packet must be
passed to it and it alone, and it in turn passes them on to the
operating system if they are allowed.

James Grant
8Signs Ltd.
(makers of 8Signs Firewall and VisNetic Firewall)

• Previous message: Zenner: "Re: Check Point FireWall-1 and CCSA"
• In reply to: Charlie C: "Visnetic and 8signs firewall LOOPHOLE Read...."
• Next in thread: James Grant: "Re: Visnetic and 8signs firewall LOOPHOLE Read...."
• Reply: James Grant: "Re: Visnetic and 8signs firewall LOOPHOLE Read...."
• Reply: Charlie C: "Re: Visnetic and 8signs firewall LOOPHOLE Read...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]