Firewalls: RE: [FW1] Out of Band Data Attack against NT-Hosts

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: [FW1] Out of Band Data Attack against NT-Hosts
From:	"Bryan D. Boyle" <bdboyle @ att . com>
Date:	Thu, 5 Jun 1997 09:46:02 -0400
To:	Jyri Kaljundi <jk @ stallion . ee>
Cc:	firewalls @ greatcircle . com

At 03:08 PM 6/5/97 +0300, you wrote:

>You mean you can crash and NT FW-1 by sending OOB data to it?!
>That's scary if it is true and should be addressed by Check Point ASAP!
>

It is a bogosity with NT and not with FW1.  Can't be addressed by Checkpoint, 
since the OS is not in their control.  They can only operate (or be as
secure as) at the least common denominator level of the underlying OS.

>What I have always thought of FW-1 is that it operates at quite low level
>inside the OS kernel, that as long as you filter everything the network
>bugs in the OS don't really matter, as the packets never reach FW-1. 

Nothing except MS code operates in the NT kernel.  This problem is with 
what happens when you send oob data to a stack (MS) that is tightly integrated
with the OS (FW1 runs on top of this stuff, not in it...) and the stack/OS
interface and control mechanism itself is crap.

Of course, on UN*X systems, this is not the case.  This is a signal example
of the difference between designing for peer review of your security model
and designing for what gets good trade publication reviews.  

>
>If sending some bytes of data to FW1 crashes it and the OS, this
>combination (FW1+NT) should not be used as a firewall solution at all. May
>be someone from CP could explain, how much do the bugs in the OS matter
>once FW1 is installed.

If there is an overall architectural problem with NT as it is, then the OS
bugs matter A LOT.  But, of course, those that say you can trust a black box
solution since the vendors are trustworthy are quite quiet on this regard...

I would agree that you should ignore NT as an OS platform in a 
security solution right now.  Just my opinion, $.02 US, etc.

Flames to /dev/null.
--
Bryan D. Boyle          | LOGICAL: bdboyle @
 att .
 com  201-386-8584
#include <disclaimer>   | VIRTUAL: http://www.access.digex.net/~bdboyle
AT&T Laboratories, Inc. | PHYSICAL: Whippany, NJ
                        | HISTORICAL: HQ, 6th Battalion, Army of No. VA.
"What country can preserve its liberties, if its rulers are not warned
from time to time, that its people preserve the spirit of resistance?"
                                               -Thomas Jefferson, 1787

Follow-Ups:

RE: [FW1] Out of Band Data Attack against NT-Hosts
From: Craig Brozefsky <craig @ onshore . com>
Re: [FW1] Out of Band Data Attack against NT-Hosts
From: Adam Shostack <adam @ homeport . org>

Indexed By Date	Previous:	ICQ and udp port 4000 From: Pat Verner <pat @ isis . co . za>
Indexed By Date	Next:	Re: Fortezza's Fate?? From: pcoppinger @ appsware . com (Paul Coppinger)
Indexed By Thread	Previous:	RE: [FW1] Out of Band Data Attack against NT-Hosts From: Mike Hedlund <mike @ isi . net>
Indexed By Thread	Next:	Re: [FW1] Out of Band Data Attack against NT-Hosts From: Adam Shostack <adam @ homeport . org>