RE: CRIME Ambiguities in TCP/IP - firewall bypassing

From: Andrew Plato (aplato@private)
Date: Fri Oct 25 2002 - 01:31:00 PDT

  • Next message: George Heuston: "CRIME FW: [Cyber_threats] Daily News 10/25/02"

    Yes, a good firewall and IDS should catch these. I know RealSecure and BlackICE are unhappy when they see weird flag combos.  
     
    But I think the point was that a lot of firewalls still don't screen this out. And that can be bad. 
     
    I do remember reading a very similar scenario like this over a year ago. But It was specific to CheckPoint firewalls barfing on certain flags that would upset their state tables. I assume CheckPoint fixed this long ago. I am reasonably certain WatchGuards are immune from this. I imagine Sonicwalls and Netwscreens are as well. 
    
    Either way - something to consider when buying your next firewall. 
    
    Andrew Plato 
    
    	-----Original Message----- 
    	From: brvarinat_private [mailto:brvarinat_private] 
    	Sent: Thu 10/24/2002 2:23 PM 
    	To: crimeat_private 
    	Cc: 
    	Subject: Re: CRIME Ambiguities in TCP/IP - firewall bypassing
    	
    	
    
    
    	Maybe I'm reading this wrong but this is not a new trick at all. Any
    	modern(like 4 years old or newer) firewall should stop this stuff cold and
    	even rudimentary IDS's will also address this.  This stuff is Firewall/IDS
    	101.
    	
    	
    	Brian Varine
    	Regence Blue Cross/Blue Shield
    	IT Security Compliance
    	503-553-1425
    	
    	
    	
    	
    	
    	
    	
    	From:  "Andrew Plato" <aplatoat_private>@cs.pdx.edu on 10/24/2002 10:58
    	       AM
    	
    	Sent by:    owner-crimeat_private
    	
    	
    	
    	To:    <crimeat_private>
    	cc:
    	bcc:
    	
    	
    	Subject:    CRIME Ambiguities in TCP/IP - firewall bypassing
    	
    	
    	
    	Interesting BUGTRAQ article on how to  bypass some firewalls. Apparently
    	all OSs respond in this manner.
    	
    	See link:
    	http://online.securityfocus.com/archive/1/296122/2002-10-19/2002-10-25/2
    
    	
    	1. Abstract
    	-----------
    	There are  ambiguities in implementations of the TCP/IP suite for various
    	operating  systems. Even if this fact has been used since a long time in
    	different  software for OS fingerprinting, no real attempt has been made
    	to identify  the security impact of the differences in the TCP/IP
    	semantics. We have done  some research on the TCP/IP connection open
    	semantics which is of course  very important for security of networked
    	systems. We believe that the flaws  we have detected have a big impact on
    	design of firewalls and packet filters  since an improper implementation
    	can easily lead to serious security  problems.
    	-----------
    	___________________________________
    	Andrew Plato, CISSP
    	President /  Principal Consultant
    	Anitian Corporation
    	503-644-5656 Office
    	503-644-8574  Fax
    	503-201-0821 Mobile
    	www.anitian.com
    	_______________________________
    	
    	
    	
    	
    	
    	===========================================================================
    	IMPORTANT NOTICE: This communication, including any attachment, contains
    	information that may be confidential or privileged, and is intended solely
    	for the entity or individual to whom it is addressed.  If you are not the
    	intended recipient, you should delete this message and are hereby notified
    	that any disclosure, copying, or distribution of this message is strictly
    	prohibited.  Nothing in this email, including any attachment, is intended
    	to be a legally binding signature.
    	
    	
    	
    	
    
    



    This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 02:04:38 PDT