Great Circle Associates Firewalls
(June 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: incoming/outgoing packet filtering (Cisco screening)
From: MICHAEL NITTMANN <NITTMANN @ UWLAX . EDU>
Date: Fri, 3 Jun 94 08:41 CDT
To: firewalls @ greatcircle . com 
Hi list,

Don Lewis has a problem with the following configuration:

	net a ---------+
			router +-----internet
        net b ---------+

'How do you prevent forged packets from the internet that have net A 
or B as source address'

1) firewall routers must be configured to not honor source routing,
    which I assume is done for a correct firewall router
2) if a packet is sent with source address from net a or b from the 
internet access (I would prefer to call it 'public', not to give a 
bad sound to 'Internet'), an eventual reply will go to net a or b, 
not back to the public (his 'internet') access. 

One shot is possible. 

BUT:

within an AS, all access points to a public network are known, and 
routing loops may of course not occur. there is a risk of course, as 
always, to use multiple publicnetwork access points to circumvent 
intra AS link failures via a public path. I would never do that, 
so that I know that everything with source address net a of net b 
stays within net a and net b. 

Yes, if you have inside information, you could send some udp. BUT:
all strategical devices, at least within my stuff, are protected to 
from where they me be configured, read out, written into. the only 
thing possible would be some one shot udp tries (tcp would not go 
past the first packet since the sync/ack would stay within the 
network and go into the bit bucket [don't forget to emtpy it 
frequently for cases where forged packets arrive from the public 
access *-)]).
So, what can we do by sending a forged udp packet (we won't get a 
reply)? 


not much, especially nothing disruptive. 



An addendum: happily I mistakenly read my own message and found that 
the P.S. was garbled.
Here is what should have been there:

If you allow UDP, you cannot defend against incoming packets.

(the rest is about right, howver difficult to read, I admit)


My personal opinion: isolated udp's pose no threat. Denial of 
service? This is always possible if somebody jams my public 
interface with junk. Even if it does not go through it will clog the 
public access pipe. Don't need to forge packets for that.

Mike
Indexed By Date Previous: Re: Problems with Cisco and Morningstar coexitsting???
From: Aydin Edguer <edguer @ MorningStar . Com>
Next: outbound connections
From: lacoursj @ uprc . com (Jeffrey D. LaCoursiere)
Indexed By Thread Previous: Livingston routers & ICMP filtering
From: Justin Mason <jmason @ iona . ie>
Next: RE: incoming/outgoing packet filtering (Cisco screening)
From: ted . doty @ nsco . network . com
Google
 
Search Internet Search www.greatcircle.com