Firewalls: Re: Question: Telnet & Packet Filtering

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Question: Telnet & Packet Filtering
From:	Chris Tyler <chris @ dejong . com>
Date:	Tue, 17 Oct 1995 11:03 EDT
To:	Firewalls @ GreatCircle . COM
Cc:	Carl Jolley <cjolley @ iac . net>

> If you only have two interfaces on your internet router, i.e. to your
> internal network and the other a serial interface to the Internet or
> a LAN interface to an isolated subnet that connects to the Internet,
> then it doesn't matter between filtering input vs. output since the
> input at both ports is output at the other. Filtering input on the
> port that connects to the Internet is the same as filtering output
> at the port that connects to your internal network. The logical
> reverse holds true for output filtering.

(input filtering on port 1 == output filtering on port 2) holds true for all traffic 
that is going *through* a 2-port router. It is not true for traffic *to* or *from* 
the router, e.g., telnet to the router to configure it, routing protocols, ICMP, 
etc.

Thus, on a router that implements input filtering, filtering out telnet on port 
1 keeps telnet traffic from port 1 from reaching port 2 *and* keeps telnet 
traffic from reaching the router. The opposite, filtering telnet traffic from the 
output of port 2, does not keep telnet traffic coming in on port 1 from 
reaching the router, i.e., you could telnet to the router if the router is 
otherwise configured to support it. (Obviously, this can lead to security 
holes with the router itself if the person performing the configuring is used 
to using the "other" type of filter). I haven't throught this through 
completely but I suppose it might leave a small vulnerability to spoofing 
attacks aimed at the router itself (e.g., telnet packets blocked going *out* 
both ports. What's to keep a guessed TCP sequence from going in to the 
router and successfully reconfiguring the router? The telnet response 
packets don't go anywhere, so the attacker is working blind, but that's no 
different from the Mitnick attacks).

This came up for me in a trivial way when translating some rules to a 
Morning Star (input filtering); I meant to have the router respond to pings 
but not permit pings to internal hosts other than the bastion. With the input 
filter scheme, I had to explicitly open a hole for pings to the router.

Chris Tyler	Chris @
 DeJong .
 Com	CTyler @
 Oxford .
 Net
Systems Development Manager, Wm. De Jong Enterprises Inc.
+1-519-424-9007 / fax +1-519-424-2399

Follow-Ups:

Re: Question: Telnet & Packet Filtering
From: Darren Reed <avalon @ coombs . anu . edu . au>

Indexed By Date	Previous:	Re: Fragment overlay attacks? From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	FWTK, is it secure From: Jason Kwok <jasonk @ HK . Super . NET>
Indexed By Thread	Previous:	Re: Question: Telnet & Packet Filtering From: "Jim Meritt" <jmeritt @ smtpinet . aspensys . com>
Indexed By Thread	Next:	Re: Question: Telnet & Packet Filtering From: Darren Reed <avalon @ coombs . anu . edu . au>