Great Circle Associates Firewalls
(July 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Faking source address on TCP packets
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date: Thu, 07 Jul 1994 20:52:34 -0700
To: david @ bdt . com (David Beckemeyer)
Cc: firewalls @ GreatCircle . COM
In-reply-to: Your message of Thu, 7 Jul 1994 23:47:57 GMT 
david @
 bdt .
 com (David Beckemeyer) writes:

# In article <9407061504 .
 AA04237 @
 whizbang .
 intellistor .
 com>,
# Quentin Johnson <quent .
 johnson @
 intellistor .
 com> wrote:
# >Why not put a router/packet filter between the Internet and the bastion
# >host?  Then you can tell the router to drop packets going to your
# >networks that have your IP addresses since nobody with your IP
# >addresses should be coming through the router from the Internet.
# >
# >	Quent Johnson
# >
# >
# 
# 
# This requires a router which supports separate filters for
# incoming and outgoing traffic right?  It's my understanding
# that not all routers have this feature.  Am I wrong?

Well, sort of.  "Incoming" and "outgoing" are ambiguous in this
context.  If you mean "incoming" and "outgoing" from the site's point
of view, then yes, such a router is inadequate for this task.  If, on
the other hand, you mean "incoming" and "outgoing" from the router's
point of view, then no, a router that only does one or the other _is_
sufficient for this task (what's "incoming" on one interface is
"outgoing" on another).

# Can you do this with a CISCO?  Or does CISCO only block
# the incoming and does nothing with the outgoing traffic?

Yes, for two reasons.

First, Cisco's "outbound-only" filtering was "outbound on each
interface"; therefore, you could filter traffic going either way
through a 2-interface Cisco by putting the appropriate filters on the
interface where the traffic was going to be "outgoing" (i.e., the
Internet interface for "outgoing traffic to the Internet", and the
internal interface for "incoming traffic from the Internet").

Second, Cisco's current release supports both inbound and outbound
filtering on each interface.

An example of a system where you _can't_ do this kind of forged packet
detection is a BSDI box running "screend".  Screend has one filter
list, and this list is applied to any packet going from one interface
to another.  It doesn't matter what the 2 interfaces are, or which one
is the incoming or outgoing interface; any packet that's going from
one to another is subjected to the exact same rules.

This is my one significant complaint about "screend", but there's not
much that could be done about it, since it's a consequence of how the
code fits into the kernel.


-Brent
--
Brent Chapman         | Great Circle Associates  | Call or email for info about
Brent @
 GreatCircle .
 COM | 1057 West Dana Street    | upcoming Internet Security 
+1 415 962 0841       | Mountain View, CA  94041 | Firewalls Tutorial dates
Indexed By Date Previous: Re: producing source routed packets
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Next: Re: producing source routed packets
From: mooks @ csi . gmu . edu (Mark (Mookie))
Indexed By Thread Previous: Re: Faking source address on TCP packets
From: "Rob Tanner" <tanner @ george . arc . nasa . gov>
Next: Authentication devices...
From: "Robert G. Moskowitz" <0003858921 @ mcimail . com>
Google
 
Search Internet Search www.greatcircle.com