I have another take on this thread that might also be of interest to those that have been following it since last week. First, kudos to Lance for the excellent documentation of the denial of service condition bought about by the mishandling of ACK packets by FW-1. But: 1) We also now have proof that FW-1 allows ACK stealth scanning. I have successfully replicated the most of the tests and conditions originally reported by Lance. 2) FW-1 will still allow ACK stealth scanning even though the fixes suggested by Lance are correctly implemented. 3) Over time, these ACK scans could generate sufficient data to determine most of the rules in an installed rule set (and any holes that might exist). AFAIK, programs like RealSecure aren't smart enough to pick up this type of scanning strategy, unless it was run rapidly enough (ala strobe) to be detected. NFR might be, but I am still looking into that. What can we do? Unfortunately, looks like we wait for a patch from the boyz at Checkpoint; that might take awhile. In the meantime, I've always some more practice hacking INSPECT... ;-) cheers, sh3p4rd
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:03 PDT