> I think Paul was talking more about TCP ISN rewriting, NOPing out > unwanted TCP options... Stuff like that.
I know, but I wasn't :) > > I never said the firewall is the target of the attack... but it > > is a hindrance that needs to be overcome. How to get out of the > > bank if all the doors are closed. > > Only an A-1 firewall will buy you that. That analogy doesn't really > hold for a firewall that does anything useful. (Unfortunately.) True when you're in, there are many ways out... > > Actually no. > > > > hosts A1..10 --> bridged firewall --> switch --> hosts B1..10 > > > > When A1 arps for B1, B1 will answer, updating the switch MAC table. > > And this brings me to another point: fingerprinting leaks. > In some cases, knowing the MAC address tells you a lot about > a box. (Thinking of non-PC boxes with built-in NICs.) Sure, can't argue with that. But all this is based on the assumption that the attacker or trojan is already within your "secured" network. > Even for boxes using off-the-shelf NICs, it can still tell you > if several IPs resolve to the same machine, which may be useful > in a penetration <hehe there goes the content filter trigger again> > situation. Indeed, and there are many more ways to find out of several machines resolve to the same machine. > And, here, have another low blow while I'm at it: proxy ARP > does indeed answer using the firewall's MAC address for all > published boxes. Even if they're down, or temporarily out and > traveling, or has a physical L1 switch moving it back and forth > between separate physical networks once every few minutes. > (Yes, these things do exist :)) Ehm... you're attacking your own standpoint now? ;) I don't see how this can strengthen the position of the proxy-ARPing firewall vs the routed or bridged. > > That's because you are Proxy-ARPing... it's too similar to > > bridged mode. > > Oh. Hrm. I need to get a closer a look at a brick one of these days > to satisfy my curiosity. > > (Ouch, both me and Paul having a go at you after having warmed > up against eachother. Sorry 'bout that :) ) No problem, just keep it coming :) _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
