Ofir Arkin hat geschrieben: >Imagine there is no spoon. There is no spoon. It is your mind that bends. :) >What you can do is to test for firewall presence. This is a very simple >test that will give you the ability to understand what you facing. ... >One nice added value for the auditor will be the ability to identify the >operating system the FW software will be installed on, given the fact >the firewall TCP/IP stack generates these lovely RSTs. Another thing >that the auditor might gain is the understanding that he is dealing with >several systems and not only with the one he is querying - looking at >the traces will result in identifying at least two systems which >communicate with his machine although he is targeting one. Yes. This is an issue all operators or auditors need to consider: On the one hand, we wish to limit reconnaissance activity. Let us not leak information like so many U.S. Congressmen. On the other hand, the security of a firewall ought not be dependent on the obscurity of its TCP/IP stack. I find no simple answer fits every scenario. I do urge, however, if one is attempting to "stealthen" a firewall, one will have to remember that TTL decrementation still takes place. The FreeBSD kernel IPFW implementation *used*[0] to have the option to not subtract from TTL. If one doesn't mind playing havoc with traceroute, this, too, may be an option. -anthony kim [0] I have not been following IPFW in 4.4 or 5.0-CURRENT so can't speak definitively. -- HTTP request sent, awaiting response... 404 Object Not Found ERROR 404: Object Not Found. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Oct 10 2001 - 08:02:39 PDT