Ryan Russell wrote:
>
> > Correctly implemented proxies will not be vulnerable to the specific
> > attack posted by John McDonald and Thomas Lopatic. Mikael Olsson
> > speculated that it "might" be possible to similarly fool a proxy but
> > that it would be "a LOT harder".
>
> Correctly implemented SPFs won't be vulnerable either. :) It depends
> totally on how a proxy is written. There is a general problem of the
> firewall trying to keep track of what state the FTP server is in. Doesn't
> really matter what kind of firewall it is.
Define correctly implemented. Does a correctly implemented SPF buffer
packets until it has enough information to make a correct decision?
Which SPF firewall (commercial or otherwise) does this?
> > If you reread the last paragraph of the stateful inspection section of
> > Mikael's post you can see the key difference: "This all assumes that the
> > firewall isn't completely reassembling the stream, but rather looking at
> > the contents of individual packets."
>
> The attack as posted depends on this. Variations mentioned may not.
> Some proxies may look for strings in the stream in much the same was SPFs
> do, and fall for the same tricks. Not neccessarily packet boundaries, but
> just because they're looking for too small a piece of the string, for
> example.
Sure. I shouldn't be surprised that a proxy would be that poorly
implemented. However, I consider a correctly written application proxy
to act as described by Andreas, "There must not be any interaction
between the protocol logic of the server and the logic of the client."
Anything short of that can probably be fooled in some way.
> > Most stateful packet inspection firewalls make filtering decisions a
> > packet at a time. This works best (but still isn't foolproof) when the
> > decisions can be made based only on header information. For protocols
> > like ftp where the decision must be made based on the data portion of
> > the packet, the information necessary to make a correct decision can not
> > be guaranteed to be available in a single packet.
>
> I think most of the SPF vendors who have been around for a while have
> figured this out. New ones crop up all the time though, so someone will
> do it again.
You're not including Checkpoint in this group then, are you?
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
