Diederik Schouten wrote: > > Paul Robertson wrote: > > Once again, if the bridge mode product does any protections that aren't > > silent, it will potentially be detectable on non-management networks. > > And there's the big IF! > > And that depends on the implementation of the firewall, both for routed and > bridged mode. For the lucent BRICK I know it protects silently unless the > admin chooses to allow ICMP reply's to be generated.
I think Paul was talking more about TCP ISN rewriting, NOPing out unwanted TCP options... Stuff like that. > I never said the firewall is the target of the attack... but it > is a hindrance that needs to be overcome. How to get out of the > bank if all the doors are closed. Only an A-1 firewall will buy you that. That analogy doesn't really hold for a firewall that does anything useful. (Unfortunately.) > Actually no. > > hosts A1..10 --> bridged firewall --> switch --> hosts B1..10 > > When A1 arps for B1, B1 will answer, updating the switch MAC table. And this brings me to another point: fingerprinting leaks. In some cases, knowing the MAC address tells you a lot about a box. (Thinking of non-PC boxes with built-in NICs.) Even for boxes using off-the-shelf NICs, it can still tell you if several IPs resolve to the same machine, which may be useful in a penetration <hehe there goes the content filter trigger again> situation. And, here, have another low blow while I'm at it: proxy ARP does indeed answer using the firewall's MAC address for all published boxes. Even if they're down, or temporarily out and traveling, or has a physical L1 switch moving it back and forth between separate physical networks once every few minutes. (Yes, these things do exist :)) > Mikael Olsson wrote: > > So, where's the flexibility? > > (No, I still don't get it :)) > > That's because you are Proxy-ARPing... it's too similar to > bridged mode. Oh. Hrm. I need to get a closer a look at a brick one of these days to satisfy my curiosity. (Ouch, both me and Paul having a go at you after having warmed up against eachother. Sorry 'bout that :) ) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
