> I am a student of information science at Otago University, and have been an
> avid subscriber to the list for almost a year now. I am soon to sit an exam
> and one of the questions relates to those types of electronic attack that
> firewalls do not protect against. If anyone has any ideas in this area, they
> would be much appreciated. I am not looking for instructions obviously, just
> general classes of attack that firewalls fail to counter. For example I have
> heard on a number of occasions that SYN flooding, due to its location in the
> connection initiation defies firewall protection. I am a little skeptical
> myself, but any input would be much appreciated...
SYN flooding can cause resource starvation on the firewall. A firewall with
a good architecture will not allow packets to pass through if it's overloaded,
so this would result in a denial of service (DoS). Other areas where a
firewall will not completely protect your network is in the case of bandwidth
starvation attacks where your line is filled with junk traffic to the point
such that legitimate traffic can't get through, again another DoS attack.
The next area of vulnerability would have to be in the machines "protected"
by your firewall. Vulnerabilities can exist in the services that you are
allowing through the firewall. Examples of this include vulnerabilities in
web servers that are allowed to be accessible from the rest of the internet.
Some other problems can come into play if you allow the machines in your DMZ
access to your internal network. In addition, as noted in another email,
client side problems can subvert incoming filters by establishing allowed
outgoing connections. Examples of this can include buffer overflowing an
email client or trojaning in Back Orifice with one of the plug-ins that make
an irc connection and make use of the irc connection to execute commands on
the trojan'd machine. (If you're saying right now that this can't happen to
you because you have outgoing 6667-6670/tcp blocked off at your firewall,
what happens if the trojan is set to communicate with an irc server running
on port 80?) Also, some less educated people believe that filters on a
router count as firewalling but most times only filters SYN packets, not all
packets.. nor do they do stateful inspection which is necessary to stop some
attacks..
// chris
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
