At 18:19 6/28/95, Peter Couvares wrote:
>I'm evaluating the relative merits of stateful packet filters (such as
>Firewall-1 and SunScreen) vs. those of application gateways (such as
>the TIS toolkit) for an upcoming firewall implementation, and have
>some questions; it seems to me that the former may have some
>potentially serious weaknesses.
>
>If, say, a UDP packet flies from internal host A through a stateful
>packet filter to external host B in such a way that the firewall
>expects a reply from machine B, what's to stop a second, malicious
>user on machine B from sending a different UDP packet back to A first?
If you change "host" in all your statements to "host/port", which is what
the "stateful packet filters" (commonly called "dynamic packet filters")
actually look at, then the answer is "nothing".
>Do any stateful packet filters examine the content of the packet and
>have enough of an understanding of the given protocol to reject such
>packets?
No, not as far as I know.
>Is it always _possible_ to do so?
I doubt it.
>If not, it seems likely that someone could exploit this in order to
>circumvent the firewall--but I can't think of a specific example
>offhand. Is it possible that there are there no common situations
>where such a limited breach can cause any harm?
It depends. What are you going to use this capability for? UDP, not TCP;
TCP is adequately protected with the ACK bit. OK, what do you use UDP for
across a firewall? DNS, maybe Archie, maybe syslog, maybe SMTP, maybe
other stuff.
The incoming packets have to correspond to outgoing packets. Are you going
to allow arbitrary UDP outbound across your firewall? No, probably not.
OK, then what services _are_ you going to allow? For each of those
services you're going to allow, consider the consequences of getting back a
forged answer.
For instance, what are the consequences of getting back a forged answer to
a DNS query? It depends; what are you going to do with the answer when you
get it? Are you going to make an authorization decision for inbound access
(for instance, via "rsh" or "rlogin") using it? If so, you're in deep
shit. Are you going to open an outbound connection to a machine based on
it? Then maybe you're in trouble; you may not be connecting to the machine
you think you are. What's the consequences of that? Dunno; depends on
what protocol you're using to connect and what you're going to do. And so
on...
You can see the kind of dialog you have to go through here. These are all
questions you'll have to answer for yourself (often with more questions),
because they're completely site and application specific.
-Brent
----------------------------------------------------------------------
For info about the Internet Security Firewalls Tutorial and a schedule
of upcoming dates, please send email to Tutorial-Info @
GreatCircle .
COM
----------------------------------------------------------------------
Brent Chapman Great Circle Associates
Brent @
GreatCircle .
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041
Follow-Ups:
|
|
