Yes, a good firewall and IDS should catch these. I know RealSecure and BlackICE are unhappy when they see weird flag combos. But I think the point was that a lot of firewalls still don't screen this out. And that can be bad. I do remember reading a very similar scenario like this over a year ago. But It was specific to CheckPoint firewalls barfing on certain flags that would upset their state tables. I assume CheckPoint fixed this long ago. I am reasonably certain WatchGuards are immune from this. I imagine Sonicwalls and Netwscreens are as well. Either way - something to consider when buying your next firewall. Andrew Plato -----Original Message----- From: brvarinat_private [mailto:brvarinat_private] Sent: Thu 10/24/2002 2:23 PM To: crimeat_private Cc: Subject: Re: CRIME Ambiguities in TCP/IP - firewall bypassing Maybe I'm reading this wrong but this is not a new trick at all. Any modern(like 4 years old or newer) firewall should stop this stuff cold and even rudimentary IDS's will also address this. This stuff is Firewall/IDS 101. Brian Varine Regence Blue Cross/Blue Shield IT Security Compliance 503-553-1425 From: "Andrew Plato" <aplatoat_private>@cs.pdx.edu on 10/24/2002 10:58 AM Sent by: owner-crimeat_private To: <crimeat_private> cc: bcc: Subject: CRIME Ambiguities in TCP/IP - firewall bypassing Interesting BUGTRAQ article on how to bypass some firewalls. Apparently all OSs respond in this manner. See link: http://online.securityfocus.com/archive/1/296122/2002-10-19/2002-10-25/2 1. Abstract ----------- There are ambiguities in implementations of the TCP/IP suite for various operating systems. Even if this fact has been used since a long time in different software for OS fingerprinting, no real attempt has been made to identify the security impact of the differences in the TCP/IP semantics. We have done some research on the TCP/IP connection open semantics which is of course very important for security of networked systems. We believe that the flaws we have detected have a big impact on design of firewalls and packet filters since an improper implementation can easily lead to serious security problems. ----------- ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com _______________________________ =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 02:04:38 PDT