Ben Nagy wrote:
>
> Where a stateful filter will beat out a static filter is in the granularity
> of control it can apply to TCP and also the fact that it can mimic some sort
> of stateful control over stateless protocols like ICMP UDP etc (yes, this is
> what several people have said).
Just to back Ben up: Yes, it is definately possible to be "stateful" even
where UDP and ICMP is concerned. And yes, it's being done by most SPFs.
(I don't know of anyone that doesn't but I don't know how all firewalls
work :-) For UDP, you more or less just create a pipe between the two
endports in the conversation and apply an idle timeout, and for ICMP
you can even verify that ICMP ECHOs are always answered by
ICMP ECHO_REPLYs.
ICMP errors are another story entirely. Some firewalls drop them all.
Some let all through. A few attempt to match up the errors to existing
states before letting them through.
Again, these protocols are stateless. It does get painful when the
firewall kills the session due to idle timeout, which it has to do
fairly soon since UDP or ICMP doesn't tell us when to close :-(
(There's no easy way around this.)
Someone (not Ben Nagy) wrote:
> > > I think, session hijacking is also a bit more difficult
> > > through a stateful
> > > packet filter, but I'm not sure about that.
Depends on if the SPF is more fascist about flags and sequence number
mismatches than the stack in question; it could just terminate the
connection to protect against hijacking if anomalies are detected. I don't
know of anyone doing this however, since it easily leads to DoS.
(Merits should be debated, however)
There _are_ a few SPFs that randomize initial TCP sequence numbers, which
can help prevent TCP blind spoofing (and hijacking) in cases where the
"protected" hosts have bad ISN generators (NT prior to SP6a and most
network appliances, even some unices).
Some firewalls also react to ARP spoofing games on locally connected
networks, which can help prevent session hijacking. (Only a few do this?)
Generally speaking, however, SPFs do not protect against session hijacking
very well, and neither do proxy type firewalls. You need transport level
authentication to protect against session hijacking; this is where
crypto such as SSL and IPsec comes into play :-)
> [discussing session hijacking through ICMP]
> That's not exactly right either. You can't hijack a session with redirects
Actually, ICMP redirects may help if you're not local to the endpoint.
Blow a couple of redirects against a router between the peers and make it
send the traffic to you instead. BGP injection works too, but that's really
overkill :-) :-)
(But yes, ARP spoofing is by far the most common way of session hijacking)
l8r
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
