Re: router security

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 12/30/04 

Date: 30 Dec 2004 21:51:11 GMT

In article <33j7poF3v71upU1@individual.net>,
Christian Christmann <plfriko@yahoo.de> wrote:
:I've a DSL router with a firewall. Behind this
:router my Linux box is running.

:Nmap indicates the following ports:

nmap from inside or from outside?

:1720/tcp open H.323/Q.931

There have been some H.323 attacks, if my memory serves me. SIP attacks
for sure.

:Is it possible to get access to my Debian system
:through the router from outside? If so, how could
:an attack look like?

Is it a stateless firewall, or does it do "Stateful Packet Inspection"
(SPI)? That is, does it actively keep track of connections and insert
temporary rules that are very specific to the outgoing connection?
Or does it just build a general network address translation?

Firewalls that do not do SPI often have the flaw that when
you open a connection to the outside, that they build an internal
port translation, but allow *anything* outside to use the
reverse translation as long as it is open.

For example, if you had a DNS server running on your Debian machine,
acting mostly as a DNS cache, and the DNS server took the common
approach of using UDP port 53 as the source port for the outgoing
queries, then during the time that a DNS query was in progress,
-anyone- outside would be able to send DNS queries and fake responses
to your DNS server, possibly even taking over the DNS process
[historically, some DNS versions have been vulnerable to buffer
overflows.]

A firewall that did SPI would, in the above example, only permit
the DNS packet back from the exact place that the DNS query had been
sent out from.

In the case of TCP, a firewall that did SPI would further keep track
of the state and sequence numbers of the TCP connections, and would
only allow TCP packets through that were in the right state (e.g.,
no SYN flag once the 3-way handshake was sone) and with the expected
range of serial numbers. A stateless firewall would just let all the
packets through and let the host computer take care of detecting
incorrect packets.

Some old stateless firewalls are even worse: they only expect there
to be one inside host, and when the inside host requests to connect
to the outside, the firewall just builds an address translation
without any port translation at all, and then allows -anyone- to
use the address translation. With that generation of "firewall",
your system would be -completely- open to new connections from
anywhere, on any of your ports that happen to be in listening state,
for as long as you had an outgoing connection open. 

-- 
Inevitably, someone will flame me about this .signature.

Relevant Pages

  • Website setup questions.
    ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
    (microsoft.public.windows.server.sbs)
  • RE: strange traffic on UDP port 53
    ... Replies to DNS queries should be coming FROM port 53, ... > found a similar problem with packets being stopped by our firewall. ... The destination IP is our mail server (not ...
    (Incidents)
  • Re: port 53, please help!
    ... >> port 53 as blocked. ... >to folks with a Win98 connected thru a firewall to internet. ... find out the IP addresses of all your DNS servers. ...
    (comp.security.firewalls)
  • Re: Being DoSed?
    ... For the "home" or "SOHO" user, who is frequently using some toy firewall, ... [UDP port translation to avoid messenger spam] ... spam site was sourcing messenger spam from port 53 on his box. ...
    (alt.computer.security)
  • Re: Public DNS names for SBS 2K3 - Question
    ... In what document did you find these recommendations for DNS names. ... > you're using, if you are using standard ports, the port is ... >>firewall and routed them to the same port on the SBS ... > document it recommends ...
    (microsoft.public.windows.server.sbs)