Bernd Eckenfels wrote:
>
> Well, how many problems beside missing support for dynamic authentication
> and bad protection from stealth scans do u see if we asume that there is no
> support for comlicated protocols needed?
- No per-session logging
- No syn flood protection
- No sequence number randomization (some SPFs do this)
- No protection against connection flooding
> I am not aware of a TCP server beeing exploitable if you cant send SYN
> packets to it (perhaps someonecan correct me?) only DOS attacks are
> possible, but those are a question of patch evel of the OS.
I am. Using fragrouter, you can often connect to blocked TCP ports
behind a stateless packet filter. All you need is _one_ port that
you are allowed to connect to. What fragrouter does is overwrite
the last half (actually, everything beyond the 8th byte) of the
TCP header using overlapping fragments that the filter usually
won't detect. In the overlapping fragment, you turn the SYN flag
on, which the filter won't be able to detect. The host receiving
the fragment will however reassemble the two fragments into one
complete packet WITH the SYN flag turned on.
I think Cisco addressed this in IOS a while ago, so given a
new enough IOS, this wouldn't be a problem.
Anyway, then there's the problem of UDP "connections", where
you don't have an ACK bit to look for.
AND then there is the increased complexity of setting up a
stateless packet filter -- you need rules in both directions.
Maybe this is child's play for some of the readers here, but
I've seen screwed up ACLs often enough, usually caused by
very subtle errors.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
