Firewalls: RE: socks versus fw-1 stateful inspection vulnerabilities

Firewalls
(April 1998)

Indexed By Thread: [Previous] [Next]

Subject:	RE: socks versus fw-1 stateful inspection vulnerabilities
From:	"Stout, William" <StoutW @ pioneer-standard . com>
Date:	Mon, 06 Apr 1998 15:05:35 -0400
To:	"'Ryan Russell'" <ryanr @ sybase . com>
Cc:	"'firewalls @ GreatCircle . COM'" <firewalls @ GreatCircle . COM>

State vs. proxy is a religious issue for some, but then again, some
swear by MS-Proxy as a firewall.

I've seen the problem first hand, and the Checkpoint-1 report from the
NSA points this out also.  

The NSA pointed out state-based specific vulnerabilities (which their
report admits they did not fully test):
     Exploitation of an allowed service 
     Insider threat - opening up ports to the outside 
     Exploitation of ports opened by a legitimate user 
     Subversion of the stateful packet filtering mechanism  

The test "Test 6: Overflow of internal tables" describes the overflow,
results, and DOS attack.  The problem should be fixed by now.  Staunch
defenders of the packet filter faith deny it ever happened.  See
http://mitten.ie.org/fw1/fw1.htm#statefulpacket

Bill Stout

> ----- Original Message -----
> From:	Ryan Russell [SMTP:ryanr @
 sybase .
 com]
> Sent:	Sunday, April 05, 1998, 17:09:36
> To:	Stout, William
> Cc:	firewalls @
 GreatCircle .
 COM
> Subject:	Re: socks versus fw-1 stateful inspection vulnerabilities
> 
> My claim is that some folks, perhaps with vested
> interests in seeing leading SPF vendors lose market,
> have been trying to make people think that state tables
> are prone to corruption without providing any examples.
> 
> If you've got details on the problem you've mentioned, I'd
> love to hear them.
> 
>                          Ryan
> 
> 
> 
> 
> 
> Stepken <stepken @
 edina .
 xnc .
 com> on 04/05/98 01:29:57 PM
> 
> To:   Ryan Russell/SYBASE
> cc:   Christopher Zarcone <czarcone @
 vf .
 lmco .
 com>, firewalls @
 GreatCircle .
 COM
> Subject:  Re: socks versus fw-1 stateful inspection vulnerabilities
> 
> 
> 
> 
> Ryan Russell wrote:
> 
> > >I can't speak from experience, but I've also read stories of state
> tables
> > >becoming corrupt, usually with interesting consequences.
> >
> > No, you haven't.  What you've heard is AG vendors claim that this could
> > happen.
> > The same vendors fail to point out that they suffer from the same issue
> if
> > the
> > very similar TCP connection tables built into the OS that they rely on
> > become corrupt.  If your hardware flakes out, all bets are off on the
> > security
> > software.
> I did some very stressing tests on firewalls with SPF and dynamic rules.
> I was able to cause some memory overflow, which can be exploited as
> buffer overflow, depending on the memory model of the OS.
> Very often they use some well known hashfunctions (e.g. GNU), which also
> have collisions. Such attacks are very special ones, but theycan be
> done.
> 
> regards, Guido Stepken
> 
> 
> 
> 
> ----- End Of Original Message -----

Indexed By Date	Previous:	RE: Firewalls-Digest V7 #140 From: Ezequiel Bautista <bautez @ texins . sistecol . com>
Indexed By Date	Next:	Re: Hi From: quiksilver <quik @ phayze . com>
Indexed By Thread	Previous:	Re: socks versus fw-1 stateful inspection vulnerabilities From: Mike Jones <mike . jones @ unifiedtech . com>
Indexed By Thread	Next:	RE: socks versus fw-1 stateful inspection vulnerabilities From: "Ryan Russell" <ryanr @ sybase . com>