Great Circle Associates Firewalls
(June 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Spoofing - what is in a name
From: "Daniel Salenger" <dsalenger @ dttus . com>
Date: Wed, 26 Jun 96 09:12:20 CST
To: firewalls @ greatcircle . com

     
     
>>      For lack of better terminology, I have been calling both of the 
>>      following situations 'spoofing'.  If there is a better industry erm 
>>      for the second scenario I would like to hear it:
>>      
>>      1. MIBH (Man in Black Hat) knows the internal workings of the 
>>      network at company X.  MIBH directly attempts to use an internal 
>>      trusted IP 
>>      address from an untrusted attached 
>>      network.       
>>      2. MIBH believes that company X is properly firewalled and that 
>>      spoof type 1 will not work.  MIBH knows that company X has strong 
>>      ties with company Y.  MIBH attempts to use the 
>>      company Y IP address to gain trusted access to   
>>      application proxies on the firewall.      
     
     Bob said:
     Date:    6/25/96 5:10 PM

>"Spoofing" refers to looking like someone else.  In both cases you are 
>spoofing, that is, you are making yourself (the packets you send out) appear 
>to come from someone else.  One way to gain access to a site is to spoof a 
>trusted host.  In other words, make yourself look like a machine that is 
>trusted.  Both of the cases you mention do this.  The first one is spoofing 
>an internal address; the second is spoofing a trusted external address.
     
>Bob


The reason for my distinction (and the original question) is that many firewall 
products are claiming to be spoof proof where (assuming no strong 
authentication) what they are actually doing is distinguishing from internal and
external traffic rather than just the IP address.  This might certainly solve 
the problem in the first case of spoofing but not the second (again assuming no 
strong authentication).  My goal is not to define a new term only to be certain 
that I am not alone in thinking that 'spoof-proof' does not inherently cover all
of the bases.

Dan Salenger
Deloitte & Touche LLP
dsalenger @
 dttus .
 com
     

The following is an attached File item from cc:Mail.  It contains
information that had to be encoded to ensure successful transmission
through various mail systems.  To decode the file use the UUDECODE
program.
--------------------------------- Cut Here ---------------------------------
begin 644 RFC822.TXT
M4F5C96EV960Z(&9R;VT @
 9V%T93$N9'1T=7,N8V]M(&)Y(&-C,RYD='1U<RYC
M;VT @
 *%--5%!,24Y+(%8R+C$Q(%!R95)E;&5A<V4 @
 -"D-"B`@("`[(%1U92P@
M,C4 @
 2G5N(#DV(#$W.C$P.C,U($-35`T*4F5T=7)N+5!A=&@Z(#QF:7)E=V%L
M;',M;W=N97)`1W)E871#:7)C;&4N0T]-/@T*4F5C96EV960Z(&9R;VT@<F5L
M87DW+E55+DY%5"!B>2!G871E,2YD='1U<RYC;VT @
 *#4N>"]334DM4U92-"D-
M"B`@("!I9"!!03(S-C @
 Q .
 R!4=64L(#(U($IU;B`Q.3DV(#$W.C`U.C0Q("TP
M-3`P#0I296-E:79E9#H @
 9G)O;2!M:6QE<RYG<F5A=&-I<F-L92YC;VT @
 8GD@
M<F5L87DW+E55+DY%5"!W:71H($533510(`T*("`@("AP965R(&-R;W-S8VAE
M8VME9"!A<SH@;6EL97,N9W)E871C:7)C;&4N8V]M(%LQ .
 3 @
 N,3`R+C(T-"XS
M-%TI#0H@("`@:60 @
 45%A=G)K,#8U.#0[(%1U92P@,C4 @
 2G5N(#$Y.38@,3 @
 Z
M,#0Z,C8 @
 +3`T,#` @
 *$5$5"D-"E)E8V5I=F5D.B`H;6%J;W)D;VU`;&]C86QH
M;W-T*2!B>2!M:6QE<RYG<F5A=&-I<F-L92YC;VT @
 *#@N-RXQ+6QI<W1S+TQI
M<W1S+3DV,#0Q-RTQ*2!I9"!-04$Q.38S-R!F;W(@9FER97=A;&QS+6]U=&=O
M:6YG.R!4=64L(#(U($IU;B`Q.3DV(#$R.C4W.C(Y("TP-S`P("A01%0I#0I2
M96-E:79E9#H @
 9G)O;2!S;VPN86ET8RYR97-T+G1A<V,N8V]M("AS;VPN86ET
M8RYR97-T+G1A<V,N8V]M(%LQ-#<N.#$N-3`N,3(X72D @
 8GD@;6EL97,N9W)E
M871C:7)C;&4N8V]M("@X+C<N-"]-:6QE<RTY-3$R,C$M,2D @
 =VET:"!33510
M(&ED($U!03$Y-3DQ(&9O<B`\9FER97=A;&QS0&=R96%T8VER8VQE+F-O;3X[
M(%1U92P@,C4 @
 2G5N(#$Y.38@,3(Z-3<Z,3,@+3`W,#` @
 *%!$5"D-"E)E8V5I
M=F5D.B!F<F]M('-U;B!B>2!S;VPN86ET8RYR97-T+G1A<V,N8V]M("A.6#4N
M-C=D+TY8,RXP32D-"E)E8V5I=F5D.B!F<F]M(&EW9&,Q+F]F9FEC92YR97-T
M+G1A<V,N8V]M(&)Y('-U;BYA:71C+G)E<W0N=&%S8RYC;VT @
 *$Y8-2XV-V4O
M3E @
 S+C!3*0T*4F5C96EV960Z(&9R;VT@:7=D8S$N;V9F:6-E+G)E<W0N=&%S
M8RYC;VT @
 8GD@:7=D8S$N;V9F:6-E+G)E<W0N=&%S8RYC;VT @
 *#0N,2]334DM
M-"XQ*0T*365S<V%G92U)9#H@/#DV,#8R-3$X,#`N04$P,34Q.$!I=V1C,2YO
M9F9I8V4N<F5S="YT87-C+F-O;3X-"E @
 M36%I;&5R.B!E>&UH('9E<G-I;VX@
M,2XV+C8@,R\R-"\Y- @
 T*5&\Z(")$86YI96P @
 4V%L96YG97(B(#QD<V%L96YG
M97)`9'1T=7,N8V]M/@T*0V,Z(&9I<F5W86QL<T!G<F5A=&-I<F-L92YC;VT-
M"E-U8FIE8W0Z(%)E.B!3<&]O9FEN9R`M('=H870@:7,@:6X @
 82!N86UE(`T*
M26XM4F5P;'DM5&\Z(%EO=7(@;65S<V%G92!O9B`B5'5E+"`R-2!*=6X@,3DY
M-B`Q,#HT-#HR.2!#4U0N(@T*36EM92U697)S:6]N.B`Q+C`-"D-O;G1E;G0M
M5'EP93H @
 =&5X="]P;&%I;CL @
 8VAA<G-E=#UU<RUA<V-I:0T*1&%T93H @
 5'5E
M+"`R-2!*=6X@,3DY-B`Q-#HP,#HR.2`M,#0P,`T*1G)O;3H @
 0F]B($)O=V5S
M(#QR96)O=V5S0&EW9&,Q+F]F9FEC92YR97-T+G1A<V,N8V]M/@T*4V5N9&5R
M.B!F:7)E=V%L;',M;W=N97)`1W)E871#:7)C;&4N0T]-#0I0<F5C961E;F-E
(.B!B=6QK#0H`
 
end


Indexed By Date Previous: Re: Re[2]: Checkpoint FTP Problem
From: Adam Horwitz <adam @ Tripcom . COM>
Next: Re: X through firewalls
From: Ben <adept @ cep . yale . edu>
Indexed By Thread Previous: Re: Spoofing - what is in a name
From: Bob Bowes <rebowes @ iwdc1 . office . rest . tasc . com>
Next: Re: LACC: A response from CSI
From: Richard Stiennon <richards @ netrex . com>

Google
 
Search Internet Search www.greatcircle.com