|
From: |
Hroller Anonymous Remailer <hroller @
c2 .
org> |
|
Date: |
Sun, 26 Nov 1995 14:34:58 -0800 (PST) |
|
To: |
firewalls @
greatcircle .
com |
|
Comments: |
This message did not originate from the address above. It was remailed by an anonymous remailing service. If you have questions or complaints, please direct them to <hroller @
c2 .
org> |
frankw @
in .
net (Frank Willoughby) wrote:
|Marcus makes a couple of good points...
|>frankw @
in .
net (Frank Willoughby) writes [in one posting]:
[...]
|Almost all firewalls are vulnerable from TCP Sequence Number
|Prediction Attacks (SNPA) where users on the outside are trying
|to access a system behind the firewall.
If you want protection from TCP sequencing you get a packet filter.
Almost any packet filter can be configured to block TCP sequencing
attacks. If you need help configuring a specific brand of filter, shout
out. Basically you block any connections from the outside that claim
they're coming from internal hosts.
If you want protection from the other problem you mention, in-progress
session stealing, you encrypt end-to-end, (and secure the ends). DESlogin
does the job for me. I hear swIPe works pretty well too.
[...]
|> When you write "almost all vendors haven't even made any
|>attempts to address the issue" - name some names. Who does it right
|>and why? If you're *NOT* talking about IP splicing, I don't know
|>what you're talking about, and I'm sure we'd all like some more
|>substantial information to back up your claims.
|
|As stated earlier, I was talking about the TCP Sequence Number
|Prediction Attack (IP Splicing, Terminal Session Hijacking, etc.).
You just plain don't know what you're talking about, as evidenced by your
confusing TCP sequencing with in-progress session stealing. They have
absolutely nothing to do with each other, aside from being mentioned side
by side in CERT's announcement. They're not the same thing and (see
above) they're not fixed the same way.
[...]
|> So, my natural reaction to Frank's posting was to
|>start my chainsaw - but, indeed, he may be right that there
|>is a problem, so I really welcome the opportunity to hear
|>some cold hard facts about it.
Should've stuck with the first one.
[...]
|From what I have seen, only two vendors have done a thing
|about users on the Outside trying to access an Inside system
|protected by a firewall. To be more specific, I am talking
|about User to Firewall access and *not* Firewall to Firewall
|access. Most people have that area covered.
Your statement baffles me. Firewalls do exactly what you say they don't,
namely protect internal hosts from the Internet at large.
|As far as the facts go, here are two:
|
|o Tsutomu Shimomura's (forgive me if I spelled it wrong, I am
| writing this from memory) system was compromised by the SNPA.
Correct (a first). Mitnick used a TCP sequencer to get into T's machines.
|o Hacking tools exist which make it fairly easy to perform
| SNPAs. EnGarde has a commercial product which accomplishes
| this (with GUI & all).
Not sure about the GUI, but EnGarde does sell a TCP sequencing tool. They
also sell a tool for in-progress session stealing, which does have a GUI
and a button that says "take over session" and all that.
Of course tools for both session stealing and TCP sequencing abound in the
underground.
|Didn't mean to ruffle your feathers, but the problem does exist
|and should be resolved.
Neither problem is in the province of the "traditional" firewall. Both
are very serious threats and need to be dealt with.
|Best Regards,
|
|Frank
jack devlin, ILF
Follow-Ups:
|
|
