Ofir Arkin hat geschrieben:
>Imagine there is no spoon.
There is no spoon. It is your mind that bends. :)
>What you can do is to test for firewall presence. This is a very simple
>test that will give you the ability to understand what you facing.
...
>One nice added value for the auditor will be the ability to identify the
>operating system the FW software will be installed on, given the fact
>the firewall TCP/IP stack generates these lovely RSTs. Another thing
>that the auditor might gain is the understanding that he is dealing with
>several systems and not only with the one he is querying - looking at
>the traces will result in identifying at least two systems which
>communicate with his machine although he is targeting one.
Yes. This is an issue all operators or auditors need to
consider: On the one hand, we wish to limit reconnaissance
activity. Let us not leak information like so many U.S.
Congressmen. On the other hand, the security of a firewall
ought not be dependent on the obscurity of its TCP/IP stack.
I find no simple answer fits every scenario.
I do urge, however, if one is attempting to "stealthen" a
firewall, one will have to remember that TTL decrementation
still takes place. The FreeBSD kernel IPFW implementation
*used*[0] to have the option to not subtract from TTL. If one
doesn't mind playing havoc with traceroute, this, too, may be
an option.
-anthony kim
[0] I have not been following IPFW in 4.4 or 5.0-CURRENT so
can't speak definitively.
--
HTTP request sent, awaiting response... 404 Object Not Found
ERROR 404: Object Not Found.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Oct 10 2001 - 08:02:39 PDT