Crafted Packets Handling by Firewalls - FW-1 case

From: Ofir Arkin (ofir@packet-technologies.com)
Date: Wed Jan 19 2000 - 22:33:38 PST

Next message: Dylan Griffiths: "Re: ICQ Buffer Overflow Exploit"

Previous message: SanMillan, Todd: "Graphiciizing su for NT WAS: RE: XML in IE 5.0"
Next in thread: IAKOVLEVat_private: "Re: Crafted Packets Handling by Firewalls - FW-1 case"
Reply: IAKOVLEVat_private: "Re: Crafted Packets Handling by Firewalls - FW-1 case"
Reply: Darren Reed: "Re: Crafted Packets Handling by Firewalls - FW-1 case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I will try to focus more on the subject.

FW-1 do accept:  ACK, SYN-ACK, NULL, FIN-ACK  (and more) as valid
traffic if they match the rule base, even if no connection establishment
was in progress and no session state was in the firewalls table.

That means no SYN was sent from the inside machine
no SYN-ACK from the outside machine and no ACK back
to finish the 3 way handshake [This is connection establishement
from the inside out].

Just a "nowhere from" SYN-ACK traveling from the attacker to
the probed host(s).

I have seen before Lance Spitzners article about "Understanding
the FW-1 State table" http://www.enteract.com/~lspitz/fwtable.html
(all lance papers are worth reading!) and it is validating what I have
found a few month ago.

If FW-1 was checking for correctness, if the SYN-ACK belongs
to a connection establishment in progress, no problem would
have occur.

Since a SYN from an inside machine should indicate the starting of
the 3 way handshake, that a  SYN-ACK should be returned with
the same per of sockets.

But since no "state" was made in the table for this connection
no firewall should accept this SYN-ACK.

Afrer the SYN (or other combination of the TCP Flags from the outside)
to an open port (and IP) in the FireWall rule base openes a session
in the statefull table any other packet  can travel from the outside ->
inside
when the only checking to be made would be see if it match the
sockets!.

This opens a welth of opportunities to the attacking part.

OS Detection, Port Mapping and other tactics to map a network enjoy this
behavior.

If CheckPoint FW-1 have a problem with the start/stop process
than it had to build another mechanism to remember.

Understanding that one of the Firewalls obligations is to examine
valid traffic is essential. He is, in most cases, the sole defender of
a network.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Ofir Arkin                      Tel: 972-3-5587001
Security QA Manager    Fax: 972-3-5587003
Packet Technologies     http://www.packet-technologies.com
                                   ofir@packet-technologies.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Next message: Dylan Griffiths: "Re: ICQ Buffer Overflow Exploit"
Previous message: SanMillan, Todd: "Graphiciizing su for NT WAS: RE: XML in IE 5.0"
Next in thread: IAKOVLEVat_private: "Re: Crafted Packets Handling by Firewalls - FW-1 case"
Reply: IAKOVLEVat_private: "Re: Crafted Packets Handling by Firewalls - FW-1 case"
Reply: Darren Reed: "Re: Crafted Packets Handling by Firewalls - FW-1 case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:22 PDT