Re:

[frankw @ in . net (Frank Willoughby)]

I requested that flames be sent to me directly.  However, since
the mail was sent to all, I have to reply to all.  Sorry about
the wasted time, disk space & bandwidth caused by my reply.  <sigh>

>frankw @
 in .
 net (Frank Willoughby) wrote:
>|Marcus makes a couple of good points...
>|>frankw @
 in .
 net (Frank Willoughby) writes [in one posting]:
>[...]
>|Almost all firewalls are vulnerable from TCP Sequence Number 
>|Prediction Attacks (SNPA) where users on the outside are trying 
>|to access a system behind the firewall.
>
>If you want protection from TCP sequencing you get a packet filter. 
>Almost any packet filter can be configured to block TCP sequencing
>attacks.  If you need help configuring a specific brand of filter, shout
>out.  Basically you block any connections from the outside that claim
>they're coming from internal hosts. 

No kidding.  I wasn't talking about outside nodes claiming to be an 
inside host.


>
>If you want protection from the other problem you mention, in-progress
>session stealing, you encrypt end-to-end, (and secure the ends).  DESlogin
>does the job for me.  I hear swIPe works pretty well too.  

Also, a no-brainer.  Encryption is the only really effective way of this
attack.  Also, few vendors handle this adequately.

>
>[...]
>|>       When you write "almost all vendors haven't even made any
>|>attempts to address the issue" - name some names. Who does it right
>|>and why? If you're *NOT* talking about IP splicing, I don't know
>|>what you're talking about, and I'm sure we'd all like some more
>|>substantial information to back up your claims.
>|
>|As stated earlier, I was talking about the TCP Sequence Number 
>|Prediction Attack (IP Splicing, Terminal Session Hijacking, etc.).
>
>You just plain don't know what you're talking about, as evidenced by your
>confusing TCP sequencing with in-progress session stealing.  They have
>absolutely nothing to do with each other, aside from being mentioned side
>by side in CERT's announcement.  They're not the same thing and (see
>above) they're not fixed the same way. 

I agree that they aren't the same thing & they aren't fixed the same way.
I was trying to make things simple by combining the two.  Perhaps it was 
too simple.  I should have left them separate.  Oh, well.  That's what I 
get for staying up nights.


>
>[...]
>|>       So, my natural reaction to Frank's posting was to
>|>start my chainsaw - but, indeed, he may be right that there
>|>is a problem, so I really welcome the opportunity to hear
>|>some cold hard facts about it.
>
>Should've stuck with the first one.
>
>[...]
>|From what I have seen, only two vendors have done a thing 
>|about users on the Outside trying to access an Inside system 
>|protected by a firewall.  To be more specific, I am talking 
>|about User to Firewall access and *not* Firewall to Firewall 
>|access.  Most people have that area covered.
>
>Your statement baffles me.  Firewalls do exactly what you say they don't,
>namely protect internal hosts from the Internet at large. 

Not true.  Again, I was talking about (Outside) User access to 
the Firewall.  If you want to argue it, let's take it off-line
and stop wasting other people's time & disk space.


>
>|As far as the facts go, here are two:
>|
>|o Tsutomu Shimomura's (forgive me if I spelled it wrong, I am 
>|  writing this from memory) system was compromised by the SNPA.
>
>Correct (a first).  Mitnick used a TCP sequencer to get into T's machines. 
>
>|o Hacking tools exist which make it fairly easy to perform 
>|  SNPAs.  EnGarde has a commercial product which accomplishes
>|  this (with GUI & all).
>
>Not sure about the GUI, but EnGarde does sell a TCP sequencing tool.  They
>also sell a tool for in-progress session stealing, which does have a GUI
>and a button that says "take over session" and all that. 
>
>Of course tools for both session stealing and TCP sequencing abound in the
>underground. 

No kidding.


>
>|Didn't mean to ruffle your feathers, but the problem does exist
>|and should be resolved.
>
>Neither problem is in the province of the "traditional" firewall.  Both
>are very serious threats and need to be dealt with. 

I disagree.  I firmly feel that this is definitely within the province
of the "traditional" firewall.  The firewall is there to protect the 
organization from the risks of the Internet.  If it can't address both
problems, then it is offering inadequate protection.  People aren't
buying firewalls for performance, they are buying them for protection.
If it can't protect you, you have wasted your money.

I like your last sentence:
"Both are very serious threats and need to be dealt with."

I think the firewall should deal with them.  Two vendors have.  It would
be nice if others would do the same.

IMO, your last sentence was the only one which counted.  I guess you must
have missed the part about flames being sent to me directly.  That's OK.
Shame about the wasted bandwidth though.

Let's summarize:

You said:
>Of course tools for both session stealing and TCP sequencing abound in the
>underground. 

> Both
>are very serious threats and need to be dealt with. 

Isn't that what I said in my mail?



>
>|Best Regards,
>|
>|Frank
>
>jack devlin, ILF
>
>
>




>

Best Regards,


Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.