Kevin,
My answers are below:
Kevin Steves wrote:
>
> On Wed, 28 Jun 2000, Jason Witty wrote:
> : According to my sources at Check Point, 4.1 SP1 does support the
> : stateful inspection of TRACEROUTE, but they are unsure as to whether
>
> And what exactly does it mean to support stateful inspection of
> traceroute? I need to understand the security ramifications of opening
> some kind of access, which means I need to know exactly how that access
> is mediated. cp doesn't want to provide that information.
>From what I'm told (disclaimer, disclaimer) that means that if you allow
your internal network to trace to the Internet, the firewall will expect
responses back to you from Internet hosts and allow that traffic only.
Basically what they're doing is applying rules to otherwise stateless
protocols (UDP and ICMP) such that they can keep track of "connections"
which were initiated unidirectionally. This way, you can allow tracert
OUT without having to allow it back IN.
>
> This is a problem with fw-1, and has been for several years (from day 1
> maybe). They handwave stateful inspection, without providing
> implementation details. It's gotten much worse recently as the product
> becomes more bloated.
Have you attended any of the annual User's Conferences? I just went to
the OPSEC conference in Chicago last week, and they gave me just about
everything but the source code.... I do, however, fully agree with you
that they never did really do a good job at ICMP state. Then again,
ICMP is a STATELESS protocol, and no one really cared about it until
about a year or so ago - The paranoid simply told the users they can't
have ICMP - Period. Others simply allowed inbound ICMP echo-replies
(not really that secure, but other than setting you up for a DDoS
attack, someone would have to have already compromised an internal box
in order for them to do anything else really nasty with echo-replies
{read loki, bo2k, etc.})
>
> : standard echo-request\echo-reply pairing is truly stateful. They should
>
> What is truly stateful?
IMHO Truly Stateful = Keeping track of all connection "state" such that
only expected return traffic is permitted for any given protocol. In
this case, if I send you an ICMP echo-request, the firewall should know
to expect you to send me an ICMP echo-reply within the next few
seconds. It also SHOULD NOT just blindly allow un-solicited ICMP
echo-replies to come in (as is the case today with users forcing
non-stateful ICMP to work by allowing "ANY Internal-Net echo-reply
Allow").
>
> : be getting back with me in the next week or so with verification on
> : that. If it isn't, I've put in a request (on behalf of several large
> : CHKP customers) to make it so. I'll let everyone know when I hear
> : something back. Hope this helps (at least a little)...
Just my $.01.
Jason
http://www.wittys.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
