Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
From: "Ryan Russell" <ryanr @ sybase . com>
Date: Mon, 6 Apr 1998 14:01:29 -0700
To: "Stout, William" <StoutW @ pioneer-standard . com>
Cc: "'firewalls @ GreatCircle . COM'" <firewalls @ GreatCircle . COM>



>State vs. proxy is a religious issue for some, but then again, some
>swear by MS-Proxy as a firewall.

Indeed, I've participated in such discussions.

>I've seen the problem first hand, and the Checkpoint-1 report from the
>NSA points this out also.

You must be referring to the table filling up, and the firewall dropping
connections.  I've confirmed this on this list as well.  I don't consider
this to be a corruption of the table, as it behaves exactly as
expected, and disallows new connections and doesn't crash.  The one
bad thing I will say is that it starts burning CPU time under those
conditions,
and I don't know why that should be.  Perhaps it has to do with the
algorithm
it uses to clear old entries?  Set the fwhmem parameter low, and
run IS from ISS through it if you want to see it in action.

>The NSA pointed out state-based specific vulnerabilities (which their
>report admits they did not fully test):
>     Exploitation of an allowed service
>     Insider threat - opening up ports to the outside
>     Exploitation of ports opened by a legitimate user
>     Subversion of the stateful packet filtering mechanism

In fact, the article states quite clearly that these are not SPF
specific, except for the last one.

>The test "Test 6: Overflow of internal tables" describes the overflow,
>results, and DOS attack.  The problem should be fixed by now.  Staunch
>defenders of the packet filter faith deny it ever happened.  See
>http://mitten.ie.org/fw1/fw1.htm#statefulpacket

I don't deny it happened, and I think I qualify as a staunch
SPF defender.  As mentioned before, I can confirm those results.
I've also seen my old AG go choke regularly, mostly due to slow
hardware and an older OS (SunOS on Sparc 5.)  The TCP SYN
attack is a similar example.  If your table fills up, and denies new
requests, and doesn't overflow onto the stack or some such,
that's really OK, and as it should be.

                         Ryan

>Bill Stout



Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565DE.0068FDBD;
Mon, 6 Apr 1998 12:06:47 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id MAA01172 for <Ryan_Russell @
 tunnel-w>; Mon, 6 Apr 1998 12:05:50
-0700 (PDT)
Received: from inergen.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA28776; Mon, 6 Apr 98 12:05:49 PDT
Received: from pse02.pios.com ([199.33.129.3])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
       id MAA11843 for <ryanr @
 sybase .
 com>; Mon, 6 Apr 1998 12:07:32 -0700
(PDT)
Received: by pse02.pios.com; (5.65v3.2/1.3/10May95) id AA07796; Mon, 6 Apr
1998 15:05:39 -0400
Date: Mon, 06 Apr 1998 15:05:35 -0400
From: "Stout, William" <StoutW @
 pioneer-standard .
 com>
Subject: RE: socks versus fw-1 stateful inspection vulnerabilities
To: "'Ryan Russell'" <ryanr @
 sybase .
 com>
Cc: "'firewalls @
 GreatCircle .
 COM'" <firewalls @
 GreatCircle .
 COM>
Message-Id:
 <c=US%a=_%p=PIOS%l=PIO_MAIL2-980406190535Z-5321 @
 pio_mail2 .
 cle2 .
 pios .
 com>
Mime-Version: 1.0
X-Mailer: Microsoft Exchange Server Internet Mail Connector Version
4.0.995.52
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit






Indexed By Date Previous: Re: Hi
From: quiksilver <quik @ phayze . com>
Next: fw-1 stateful inspection vulnerabilities
From: Pete Philips <alien @ netcomuk . co . uk>
Indexed By Thread Previous: RE: socks versus fw-1 stateful inspection vulnerabilities
From: "Stout, William" <StoutW @ pioneer-standard . com>
Next: Re: socks versus fw-1 stateful inspection vulnerabilities
From: "Ryan Russell" <ryanr @ sybase . com>

Google
 
Search Internet Search www.greatcircle.com