Re: Ambiguities in TCP/IP - firewall bypassing

From: David Wagner (dawat_private)
Date: Fri Oct 18 2002 - 17:18:50 PDT

Next message: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"

Previous message: Luis Bruno: "Re: Ambiguities in TCP/IP - firewall bypassing"
In reply to: Paul Starzetz: "Ambiguities in TCP/IP - firewall bypassing"
Next in thread: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Starzetz  wrote:
>We believe that the flaws we have detected have a big impact on 
>design of firewalls and packet filters since an improper implementation 
>can easily lead to serious security problems.

Is there any reason to expect that such improper implementation
would be common?

As far as I know, the common case is packet filters that look at
only the ACK and SYN bits.  A typical configuration: All incoming
packets with the ACK bit set are allowed, as are all outgoing packets.
The anomalies you found don't seem to pose any problems for such a
style of configuration.

Are you aware of any common configurations that are at risk?

Next message: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
Previous message: Luis Bruno: "Re: Ambiguities in TCP/IP - firewall bypassing"
In reply to: Paul Starzetz: "Ambiguities in TCP/IP - firewall bypassing"
Next in thread: Aaron Hopkins: "Re: Ambiguities in TCP/IP - firewall bypassing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 13:30:25 PDT