>
>
>
> On Tue, 13 Dec 1994, david r coelho wrote:
>
> > My first line of defense for our network uses a router to filter
> > out all new TCP sessions (e.g. with SYN). We let in all established
> > sessions, and then do additional filtering with a firewall. The
> > idea is that the router lets anything go out, but only lets
> > established sessions come in.
> >
> > My question is, is there a vulnerability whereby the established
> > incoming TCP packet could be used to open a new TCP session
> > (say login, telnet, etc) or is the unix (SunOS in my case) kernel
> > tight enought to reject these packets.
> >
New, as in to a new service/port, no...but...
> It would seem to me that if one host C were to snoop an active telnet
> session say, between hosts A and B, grab a string of frames, spray the
> recieving host B momentarily, then repeatedly spray host A (or knock down
> host A by some other means) while resending the copied string of frames
> and adding to them whatever one would like while also keeping the packet
> signatures the same -- that whomever is behind host C could become
> the new active session in place of A.
This is discussed in one of Steve Bellovin's papers on TCP/IP...
pext.ps - "Security Problems in the TCP/IP Protocol Suite"
Steven M. Bellovin, AT&T Bell Laboraties
smb @
ulysses .
att .
com, Apr 1989.
CACM Vol 19, No. 2
is the one you want (I think).
> If the preceding BS is true, then what can any kind of firewall SW/HW
> do to detect such an intrusion, short of encrytion strategies?
>
> Will FWTK detect such an intrusion?
No. Nothing will.
Darren
References:
|
|
