Re: Firewalls digest, Vol 1 #33 - 7 msgs

Patrick Egan Fri, 22 Jun 2001 13:25:16 -0700

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 22, 2001 3:06 PM
Subject: Firewalls digest, Vol 1 #33 - 7 msgs


> Send Firewalls mailing list submissions to
> [EMAIL PROTECTED]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.gnac.net/mailman/listinfo/firewalls
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Firewalls digest..."
>
>
> Today's Topics:
>
>    1. RE: Has anyone heard of this? (Meritt James)
>    2. Re: Synchronise two servers in DMZ (Ron DuFresne)
>    3. Re: Real Secure and Firewall-1 ([EMAIL PROTECTED])
>    4. RE: Has anyone heard of this? (Scott Godfrey)
>    5. RE: Need to Lock Down Mail Relay (Young, Beth A.)
>    6. RE: Why router are vulnerable to FTP and DNS? (Cessna, Michael)
>    7. RE: Router packet filtering (Cessna, Michael)
>
> --__--__--
>
> Message: 1
> Date: Fri, 22 Jun 2001 13:31:52 -0400
> From: "Meritt James" <[EMAIL PROTECTED]>
> Organization: BAH
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Has anyone heard of this?
>
> I used to know several companies that did "ethical hacking" as a
> consulting service for companies who wanted reports on how good their
> security setup was.  They did everything from brute force to social
> engineering.  The funny thing was that they used the same tools that are
> publicly available (nmap, snort, etc.).
> .................................................................
>
> Fee for fixing television: $100
> Itemized list: hitting the television: $1
> knowing where to hit: $99
>
> Same thing.  I have the same tools a professional mechanic uses most.
> He knows better HOW to use them, on what,...  Same thing.
> --
> James W. Meritt, CISSP, CISA
> Booz, Allen & Hamilton
> phone: (410) 684-6566
>
> --__--__--
>
> Message: 2
> Date: Fri, 22 Jun 2001 10:48:10 -0500 (CDT)
> From: Ron DuFresne <[EMAIL PROTECTED]>
> To: Hans Scheffers <[EMAIL PROTECTED]>
> Cc: Firewall List <[EMAIL PROTECTED]>
> Subject: Re: Synchronise two servers in DMZ
>
>
> I think rsync can run sweetly under ssh, have you looked into that?
> Others will remind me if I'm incorrect here, but, it sleeps in the back of
> the mind here, so it might be fact.  Then again, it os a friday, laziest
> day of the week, barring forest fires...
>
> Thanks,
>
> Ron DuFresne
>
>
> On Fri, 22 Jun 2001, Hans Scheffers wrote:
>
> > Hi,
> >
> > this is off-topic I know, but I have a small problem.
> >
> > I have two servers in the DMZ (both linux), that have two be
> > syncrhonized on the data files (only on the data files); on both ssh/scp
> > runs, but no telnet/telnetd.
> >
> > server 2 has to receive the data from server 1, but because the amount
> > of the data only changed /new files have to be copied.
> >
> > with cp, i can synchronise dir 2 with dir 1 with the -u / --update
> > parameter.
> > scp doesn't know this option and I cannot find an option that does this
> > in the manpages of ssh/scp
> >
> > Does anyone have a hint on how to do this?
> >
> > greetz
> > Hans
> >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.
>
>
> --__--__--
>
> Message: 3
> Subject: Re: Real Secure and Firewall-1
> To: "Carl E. Mankinen" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
> "Fredy Santana" <[EMAIL PROTECTED]>
> From: [EMAIL PROTECTED]
> Date: Fri, 22 Jun 2001 20:54:52 +0300
>
>
> Hi,
>
> As stated(unofficially) that Checkpoint RealSecure product will be ISS
> RealSecure in the near future. It won't be a problem, is it?
>
> Regards.
>
> ------------------------------------------------------
> Ihsan Cakmakli
> YKT
> Tel: 90.262.6472861
> Fax: 90.262.6471711
> [EMAIL PROTECTED]
>
>
>                                                                        =
>                                                   =20
>                     "Carl E. Mankinen"                                 =
>                                                   =20
>                     <[EMAIL PROTECTED]>          To:     <firewalls@plut=
> o.gnac.com>, "Fredy Santana" <[EMAIL PROTECTED]>     =20
>                     Sent by:                    cc:                    =
>                                                   =20
>                     firewalls-admin@plut        Subject:     Re: Real S=
> ecure and Firewall-1                              =20
>                     o.gnac.com                                         =
>                                                   =20
>                                                                        =
>                                                   =20
>                                                                        =
>                                                   =20
>                     22.06.2001 17:46                                   =
>                                                   =20
>                                                                        =
>                                                   =20
>                                                                        =
>                                                   =20
>
>
>
>
> One consideration is that the FW1 integrated product does not work with=
>  the
> regular ISS Workgroup Manager console.
> This means if you have regular ISS network sensors (non-FW1), server
> sensors, etc that all connect to the console and you want to
> add a FW1 network sensor, you will have to run two seperate consoles.
> (might not be a big deal for everyone)
>
> Also, the licensing cannot be sync'd up and you will have to handle
> relicensing and key generation seperately.
>
> ----- Original Message -----
> From: "Fredy Santana" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 20, 2001 8:47 AM
> Subject: Real Secure and Firewall-1
>
>
> > Hi:
> >
> > I'm looking for experiences on install a Real Secure Network sensor i=
> n
> the
> > same machine than a Firewall-1. Well I know this is not recomended bu=
> t I
> > think if the perfomance requirements are not high could work.
> >
> > Does anyone had made this??
> >
> > Regards from Chile
> >
> >
> > Saludos
> > Fredy R. Santana V.
> > Ingeniero Civil El=E9ctrico - CCSA
> > Orion 2000 - Servicios Profesionales en Seguridad Inform=E1tica
> > La Concepcion 322 piso 12, Providencia.
> > Santiago, Chile
> > Fono: 56-2-6403944, Fax: 56-2-6403990
> > e-mail: [EMAIL PROTECTED]
> > http://www.orion.cl
> >
> >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> >
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> =
>
>
>
> --__--__--
>
> Message: 4
> From: Scott Godfrey <[EMAIL PROTECTED]>
> To: 'Meritt James' <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Has anyone heard of this?
> Date: Fri, 22 Jun 2001 14:04:39 -0400
>
> I could not have said it better.
>
>
> Scott Godfrey
> Network Security Inside Support
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> 727.547.4000 Ext.276
>
> RISCmanagement, Inc.
> www.riscman.com <http://www.riscman.com>
> 10990 U.S. Hwy 19 North
> Clearwater Florida, 33764
>
>
> -----Original Message-----
> From: Meritt James [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 22, 2001 1:32 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Has anyone heard of this?
>
>
> I used to know several companies that did "ethical hacking" as a
> consulting service for companies who wanted reports on how good their
> security setup was.  They did everything from brute force to social
> engineering.  The funny thing was that they used the same tools that are
> publicly available (nmap, snort, etc.).
> .................................................................
>
> Fee for fixing television: $100
> Itemized list: hitting the television: $1
> knowing where to hit: $99
>
> Same thing.  I have the same tools a professional mechanic uses most.
> He knows better HOW to use them, on what,...  Same thing.
> --
> James W. Meritt, CISSP, CISA
> Booz, Allen & Hamilton
> phone: (410) 684-6566
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> --__--__--
>
> Message: 5
> From: "Young, Beth A." <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: RE: Need to Lock Down Mail Relay
> Date: Fri, 22 Jun 2001 13:02:48 -0500
>
> While ORBS is dead, it has spawned 3 other processes:
>
> www.ordb.org
> www.orbl.org
> http://orbs.gst-group.co.uk/
>
> No information yet on which will come out on top but the UK site is
already
> in trouble.
>
> -----Original Message-----
> From: Zachary Uram [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 22, 2001 10:27 AM
> To: Gerardo Soto
> Cc: [EMAIL PROTECTED]
> Subject: Re: Need to Lock Down Mail Relay
>
>
> That website is defunct! :)
>
> " Due to circumstances beyond our control, the ORBS website is no
>   longer available. "
>
> Try again! :)
>
> Zach
>
> On Fri, 22 Jun 2001, Gerardo Soto wrote:
>
> >
> > Hello:
> >
> > Check this web site, they do not ask to create an account and they
> > really test your mail server. Be prepare for it.
> >
> > http://www.orbs.org
> >
> >
> > Regards,
> >
> > On Thu, 21 Jun 2001, Alvin Oga wrote:
> >
> > >
> > > hi lance.. et.al..
> > >
> > > i just went to http://www.abuse.net/relay.html
> > > - they wanted a login passwd etc..etc...
> > >
> > > so wound up doing the telnet stuff as shown... by you folks
> > >
> > > i'd like to add that  the "telnet  mail.foo.com 25"
> > > is the suspected open relay you are trying to test...
> > > - if its open... you wanna close it as its admin
> > > - if its open... as a spammer...you're a bad boy
> > > - its open if you dont get "relay denied"
> > >
> > > Another good url to use besides the abuse.net site...
> > >
> > > http://www.paladincorp.com.au/unix/spam/spamlart/
> > >
> > > Anyway... I've collected a few more urls for online open relay testing
> > >
> > > http://www.linux-sec.net/audit_tools.gwif.html#Relay
> > >
> > > have fun
> > > alvin
> > > http://www.Linux-Sec.net
> > >
> > > On Thu, 21 Jun 2001, Lance Ecklesdafer wrote:
> > >
> > > > What I try to do is connect to the server on port 25 and go through
> this
> > > > process.
> > > > (1) HELO INTRUDER.COM
> > > > <The server responds>
> > > > (2) MAIL FROM:[EMAIL PROTECTED]
> > > > <The server responds>
> > > > (3)RCPT TO: [EMAIL PROTECTED]
> > > > <The server will give you an error if it will not accept relays. If
it
> > > > accepts mail for a domain other than the domain it is servicing,
then
> it is
> > > > open for a relay attack.>
> > > > If you want to continue your message then you can enter:
> > > > (4)DATA
> > > > <the server will tell you to enter data with only a "." on the last
> line>
> > > > (5)RSET
> > > > (6)QUIT
> > > >
> > > > That is basically what I do. Does anyone else have anything to add?
> > > >
> > > > Lance
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Gary Rose" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Thursday, June 21, 2001 10:55 AM
> > > > Subject: Need to Lock Down Mail Relay
> > > >
> > > >
> > > > > What is the easiest way to test if a mail server has mail relay
> enabled
> > > > > other than pointing your email client at it? Can you telnet to
port
> 25 and
> > > > > use SMTP commands? If so, what is the process?
> > > > >
> > > > >
> > > > > Thanks.
> > > > >
> > > > >
> > > > > -G
> > > > >
> > > > > _______________________________________________
> > > > > Firewalls mailing list
> > > > > [EMAIL PROTECTED]
> > > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > > >
> > > > _______________________________________________
> > > > Firewalls mailing list
> > > > [EMAIL PROTECTED]
> > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > > >
> > >
> > > _______________________________________________
> > > Firewalls mailing list
> > > [EMAIL PROTECTED]
> > > http://lists.gnac.net/mailman/listinfo/firewalls
> > >
> >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> >
>
>
> [EMAIL PROTECTED]
> "Blessed are those who have not seen and yet have faith." - John 20:29
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> --__--__--
>
> Message: 6
> From: "Cessna, Michael" <[EMAIL PROTECTED]>
> To: 'Sudipto basu' <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Why router are vulnerable to FTP and DNS?
> Date: Fri, 22 Jun 2001 14:14:39 -0400
>
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C0FB47.338248C0
> Content-Type: text/plain;
> charset="iso-8859-1"
>
> I believe what you are after is the difference between:
> (please no nitpicking arguments over this!:)  )
>
> State full Inspection
> and
> Packet Inspection/Screening Router
> and
> Application Proxy
>
> Look into the definitions on these three terms. Goggle gives lots of
> results.
> It all relates to how far a FW or router looks into a packets contents. If
> you allow http through your fw you can and probably will be hacked because
> the FW doesn't inspect the http commands just the delivery. I know this is
a
> very large gray area so please no arguments!
> An application proxy mostly just inspects the data payload of the packet
and
> looks to see if there are any commands that are not allowed. Such as for
MS
> IIS get\iisadmin
>
> This is the tip of the iceberg. If you really want to know read up on what
> each defines and you will see the overlap that causes the arguments. And
> you'll understand the evils of marketing departments at firewall firms!
> Hope this can help you,
> Mike
>
>
>
> -----Original Message-----
> From: Sudipto basu [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 22, 2001 10:47 AM
> To: [EMAIL PROTECTED]
> Subject: Why router are vulnarable to FTP and DNS?
>
>
> Hi all,
> can any one let me know why Router level firewalls are
> not good at filtering FTP, X11 and DNS packets.
> Sudipto.
> [EMAIL PROTECTED]
>
> =====
>
> The most I can do for my friend is.
> Simply to be his friend.
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> ------_=_NextPart_001_01C0FB47.338248C0
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>RE: Why router are vulnerable to FTP and DNS?</TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=3D2>I believe what you are after is the difference =
> between:</FONT>
> <BR><FONT SIZE=3D2>(please no nitpicking arguments over this!:)&nbsp; =
> )</FONT>
> </P>
>
> <P><FONT SIZE=3D2>State full Inspection</FONT>
> <BR><FONT SIZE=3D2>and</FONT>
> <BR><FONT SIZE=3D2>Packet Inspection/Screening Router</FONT>
> <BR><FONT SIZE=3D2>and</FONT>
> <BR><FONT SIZE=3D2>Application Proxy</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Look into the definitions on these three terms. =
> Goggle gives lots of results.</FONT>
> <BR><FONT SIZE=3D2>It all relates to how far a FW or router looks into =
> a packets contents. If you allow http through your fw you can and =
> probably will be hacked because the FW doesn't inspect the http =
> commands just the delivery. I know this is a very large gray area so =
> please no arguments!</FONT></P>
>
> <P><FONT SIZE=3D2>An application proxy mostly just inspects the data =
> payload of the packet and looks to see if there are any commands that =
> are not allowed. Such as for MS IIS get\iisadmin</FONT></P>
>
> <P><FONT SIZE=3D2>This is the tip of the iceberg. If you really want to =
> know read up on what each defines and you will see the overlap that =
> causes the arguments. And you'll understand the evils of marketing =
> departments at firewall firms!</FONT></P>
>
> <P><FONT SIZE=3D2>Hope this can help you,</FONT>
> <BR><FONT SIZE=3D2>Mike</FONT>
> </P>
> <BR>
> <BR>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>From: Sudipto basu [<A =
> HREF=3D"mailto:[EMAIL PROTECTED]";>mailto:[EMAIL PROTECTED]</A>]</FON=
> T>
> <BR><FONT SIZE=3D2>Sent: Friday, June 22, 2001 10:47 AM</FONT>
> <BR><FONT SIZE=3D2>To: [EMAIL PROTECTED]</FONT>
> <BR><FONT SIZE=3D2>Subject: Why router are vulnarable to FTP and =
> DNS?</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>Hi all,</FONT>
> <BR><FONT SIZE=3D2>can any one let me know why Router level firewalls =
> are</FONT>
> <BR><FONT SIZE=3D2>not good at filtering FTP, X11 and DNS packets. =
> </FONT>
> <BR><FONT SIZE=3D2>Sudipto.</FONT>
> <BR><FONT SIZE=3D2>[EMAIL PROTECTED]</FONT>
> </P>
>
> <P><FONT SIZE=3D2>=3D=3D=3D=3D=3D</FONT>
> </P>
>
> <P><FONT SIZE=3D2>The most I can do for my friend is. </FONT>
> <BR><FONT SIZE=3D2>Simply to be his friend. </FONT>
> </P>
> <BR>
> <BR>
> <BR>
>
> <P><FONT =
> SIZE=3D2>__________________________________________________</FONT>
> <BR><FONT SIZE=3D2>Do You Yahoo!?</FONT>
> <BR><FONT SIZE=3D2>Get personalized email addresses from Yahoo! =
> Mail</FONT>
> <BR><FONT SIZE=3D2><A HREF=3D"http://personal.mail.yahoo.com/"; =
> TARGET=3D"_blank">http://personal.mail.yahoo.com/</A></FONT>
> <BR><FONT =
> SIZE=3D2>_______________________________________________</FONT>
> <BR><FONT SIZE=3D2>Firewalls mailing list</FONT>
> <BR><FONT SIZE=3D2>[EMAIL PROTECTED]</FONT>
> <BR><FONT SIZE=3D2><A =
> HREF=3D"http://lists.gnac.net/mailman/listinfo/firewalls"; =
> TARGET=3D"_blank">http://lists.gnac.net/mailman/listinfo/firewalls</A></=
> FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C0FB47.338248C0--
>
> --__--__--
>
> Message: 7
> From: "Cessna, Michael" <[EMAIL PROTECTED]>
> To: 'Sudipto basu' <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Router packet filtering
> Date: Fri, 22 Jun 2001 14:37:52 -0400
>
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C0FB4A.7208E0B0
> Content-Type: text/plain;
> charset="iso-8859-1"
>
> A little background first:
>
> What a firewall uses is a State Table to keep track of connections when
they
> are made and to allow the return packets to get to the client. If you have
> two simple rules:
> AnyThingInternal  TO  AnythingExternal  ACCEPT
> anything   TO   Anywhere   DENY
>
> This you would think would allow you to have your internal pc's connect to
> the outside but not allow the outside connect to the inside. Right?
> Well without state tables it's wrong.
> The original session creation packets go out fine and then the data from
the
> remote server comes back. But when the remote data packet comes to the FW
> the FW would apply its rules base and match it to rule 2. Guess what? It's
> denied!
> The way it is really done is through state tables.
> When you send a packet out it is part of a session, the FW keeps track of
> that session through the state table so that when the reply packets come
> back in the FW know that it is from a connection 'requested' from internal
> which is allowed by the first rule so the FW passes it through even though
> it is a packet 'from somewhere destined for anywhere' (rule2).
> UDP packets are not a problem outbound but inbound you should not allow
them
> unless you have a good reason to. This applies to TCP, GRE any packet that
> you allow in through the firewall.
>
> You can learn more by reading up on the Syn-Ack-Fin sequencing in TCP/IP
and
> also the difference between connection oriented (tcp) and connectionless
> transmissions (UDP). Try Stevens-TCP/IP Illustrated, VOL 1
> I would recommend this book for just about anything TCP/IP related.
>
> >some protocols like FTP which use more than one data stream
> >present problems  for a router based firewalls.
>
> Remember that FTP negotiates a session on 21 but then uses a dynamically
> assigned port above 1024. so the router would have to know that port 1025
is
> the data session for the ftp connection that was just negotiated. Ports
are
> just placeholders for the two ends of a communications to keep things
> straight. You can run FTP on any port that you want. So since a screening
> router is looking for FTP on port 21 and not allowing any other ports,
when
> you get to the data transfer portion of your ftp session the router would
> throw it away since it only allows port 21 and no others even though it is
> part of an FTP session.
>
> I hope this helps a little.
> Mike
>
> -----Original Message-----
> From: Sudipto basu [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 22, 2001 11:33 AM
> To: [EMAIL PROTECTED]
> Subject: Router packet filtering
>
>
> I think my earlier question was not clear to some. So
> let me refine it.
>
> I mean to say without any s/w support a filtering
> technique at router level can not filter those
> packets.
> Is it right. If yes then why.
> I have a book which reads like.
>
>
> "A router alone cannot fully control a stream of IP
> packets, as it can not monitor the state of the state
> of incoming and out going packets, so a some protocols
> like FTp which which use more than one data stream
> present problems  for a router based firewalls.
>
> Things get worse when you use a connection less
> protocol like UDP,
> which forms the basis of DNS. In order to control UDP
> streams in a firewall, you need to add some form of
> state  monitoring to a packet filter"
>
> I think my question is some waht clear now.
>
> Sudipto basu
> [EMAIL PROTECTED]
>
>
>
> =====
>
> The most I can do for my friend is.
> Simply to be his friend.
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> ------_=_NextPart_001_01C0FB4A.7208E0B0
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>RE: Router packet filtering </TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=3D2>A little background first:</FONT>
> </P>
>
> <P><FONT SIZE=3D2>What a firewall uses is a State Table to keep track =
> of connections when they are made and to allow the return packets to =
> get to the client. If you have two simple rules:</FONT></P>
>
> <P><FONT SIZE=3D2>AnyThingInternal&nbsp; TO&nbsp; =
> AnythingExternal&nbsp; ACCEPT</FONT>
> <BR><FONT SIZE=3D2>anything&nbsp;&nbsp; TO&nbsp;&nbsp; =
> Anywhere&nbsp;&nbsp; DENY</FONT>
> </P>
>
> <P><FONT SIZE=3D2>This you would think would allow you to have your =
> internal pc's connect to the outside but not allow the outside connect =
> to the inside. Right?</FONT></P>
>
> <P><FONT SIZE=3D2>Well without state tables it's wrong.</FONT>
> <BR><FONT SIZE=3D2>The original session creation packets go out fine =
> and then the data from the remote server comes back. But when the =
> remote data packet comes to the FW the FW would apply its rules base =
> and match it to rule 2. Guess what? It's denied!</FONT></P>
>
> <P><FONT SIZE=3D2>The way it is really done is through state =
> tables.</FONT>
> <BR><FONT SIZE=3D2>When you send a packet out it is part of a session, =
> the FW keeps track of that session through the state table so that when =
> the reply packets come back in the FW know that it is from a connection =
> 'requested' from internal which is allowed by the first rule so the FW =
> passes it through even though it is a packet 'from somewhere destined =
> for anywhere' (rule2).</FONT></P>
>
> <P><FONT SIZE=3D2>UDP packets are not a problem outbound but inbound =
> you should not allow them unless you have a good reason to. This =
> applies to TCP, GRE any packet that you allow in through the =
> firewall.</FONT></P>
>
> <P><FONT SIZE=3D2>You can learn more by reading up on the Syn-Ack-Fin =
> sequencing in TCP/IP and also the difference between connection =
> oriented (tcp) and connectionless transmissions (UDP). Try =
> Stevens-TCP/IP Illustrated, VOL 1</FONT></P>
>
> <P><FONT SIZE=3D2>I would recommend this book for just about anything =
> TCP/IP related.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>&gt;some protocols like FTP which use more than one =
> data stream</FONT>
> <BR><FONT SIZE=3D2>&gt;present problems&nbsp; for a router based =
> firewalls.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Remember that FTP negotiates a session on 21 but then =
> uses a dynamically assigned port above 1024. so the router would have =
> to know that port 1025 is the data session for the ftp connection that =
> was just negotiated. Ports are just placeholders for the two ends of a =
> communications to keep things straight. You can run FTP on any port =
> that you want. So since a screening router is looking for FTP on port =
> 21 and not allowing any other ports, when you get to the data transfer =
> portion of your ftp session the router would throw it away since it =
> only allows port 21 and no others even though it is part of an FTP =
> session.</FONT></P>
>
> <P><FONT SIZE=3D2>I hope this helps a little.</FONT>
> <BR><FONT SIZE=3D2>Mike</FONT>
> </P>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> <BR><FONT SIZE=3D2>From: Sudipto basu [<A =
> HREF=3D"mailto:[EMAIL PROTECTED]";>mailto:[EMAIL PROTECTED]</A>]</FON=
> T>
> <BR><FONT SIZE=3D2>Sent: Friday, June 22, 2001 11:33 AM</FONT>
> <BR><FONT SIZE=3D2>To: [EMAIL PROTECTED]</FONT>
> <BR><FONT SIZE=3D2>Subject: Router packet filtering </FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>I think my earlier question was not clear to some. =
> So</FONT>
> <BR><FONT SIZE=3D2>let me refine it.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>I mean to say without any s/w support a =
> filtering</FONT>
> <BR><FONT SIZE=3D2>technique at router level can not filter =
> those</FONT>
> <BR><FONT SIZE=3D2>packets.</FONT>
> <BR><FONT SIZE=3D2>Is it right. If yes then why.</FONT>
> <BR><FONT SIZE=3D2>I have a book which reads like.</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>&quot;A router alone cannot fully control a stream of =
> IP</FONT>
> <BR><FONT SIZE=3D2>packets, as it can not monitor the state of the =
> state</FONT>
> <BR><FONT SIZE=3D2>of incoming and out going packets, so a some =
> protocols</FONT>
> <BR><FONT SIZE=3D2>like FTp which which use more than one data =
> stream</FONT>
> <BR><FONT SIZE=3D2>present problems&nbsp; for a router based =
> firewalls.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Things get worse when you use a connection =
> less</FONT>
> <BR><FONT SIZE=3D2>protocol like UDP,</FONT>
> <BR><FONT SIZE=3D2>which forms the basis of DNS. In order to control =
> UDP</FONT>
> <BR><FONT SIZE=3D2>streams in a firewall, you need to add some form =
> of</FONT>
> <BR><FONT SIZE=3D2>state&nbsp; monitoring to a packet =
> filter&quot;</FONT>
> </P>
>
> <P><FONT SIZE=3D2>I think my question is some waht clear now.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Sudipto basu</FONT>
> <BR><FONT SIZE=3D2>[EMAIL PROTECTED]</FONT>
> </P>
> <BR>
> <BR>
>
> <P><FONT SIZE=3D2>=3D=3D=3D=3D=3D</FONT>
> </P>
>
> <P><FONT SIZE=3D2>The most I can do for my friend is. </FONT>
> <BR><FONT SIZE=3D2>Simply to be his friend. </FONT>
> </P>
> <BR>
> <BR>
> <BR>
>
> <P><FONT =
> SIZE=3D2>__________________________________________________</FONT>
> <BR><FONT SIZE=3D2>Do You Yahoo!?</FONT>
> <BR><FONT SIZE=3D2>Get personalized email addresses from Yahoo! =
> Mail</FONT>
> <BR><FONT SIZE=3D2><A HREF=3D"http://personal.mail.yahoo.com/"; =
> TARGET=3D"_blank">http://personal.mail.yahoo.com/</A></FONT>
> <BR><FONT =
> SIZE=3D2>_______________________________________________</FONT>
> <BR><FONT SIZE=3D2>Firewalls mailing list</FONT>
> <BR><FONT SIZE=3D2>[EMAIL PROTECTED]</FONT>
> <BR><FONT SIZE=3D2><A =
> HREF=3D"http://lists.gnac.net/mailman/listinfo/firewalls"; =
> TARGET=3D"_blank">http://lists.gnac.net/mailman/listinfo/firewalls</A></=
> FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C0FB4A.7208E0B0--
>
>
> --__--__--
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
>
> End of Firewalls Digest

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Re: Firewalls digest, Vol 1 #33 - 7 msgs

Reply via email to
