(Thanks for uncloaking your identity, by the way. This discussion just got infinately more interesting. :))
"Schouten, Diederik (Diederik)" wrote: > > > And this brings me to another point: fingerprinting leaks. > > In some cases, knowing the MAC address tells you a lot about > > a box. (Thinking of non-PC boxes with built-in NICs.) > > Sure, can't argue with that. > But all this is based on the assumption that the attacker or trojan is > already within your "secured" network. Hm, no. Just on the other side of a bridging firewall. In the case internet --- router --- empty stub network -- firewall -- internal this is a non-issue, but as soon as you add DMZs, or have other hosts right outside your firewall, or have a router than can be SNMP- polled by anyone (view the ARP cache), it becomes an issue. I'll give you that "open for an additional layer of information gathering" doesn't necessarily mean "open for an additional avenue of attack", but.. Yeah, I'm paranoid. :) > [on using ARP to see if several IPs resolve to the same machine] > Indeed, and there are many more ways to find out of several > machines resolve to the same machine. Hmm.. Which ones would that be? (Sans allowing telnet in to the machine and seeing that you get the same hostname banner.) This is about as easy as it gets, IMHO, since a bridging firewall can't make L3/4 decisions on whether an external box gets to learn about internal network topology (hey, there's another argument! I can see if internal IPs get routed somewhere else! :)) -- a bridging firewall needs to pass ARPs to the inside network even when the external box isn't allowed to initiate a single connection to the inside hosts. (Yes, I agree that for 90% of all networks, this probably doesn't mean squat, but for the rest -- the _large_ ones -- this > > And, here, have another low blow while I'm at it: proxy ARP > > does indeed answer using the firewall's MAC address for all > > published boxes. Even if they're down, or temporarily out and > > traveling, or has a physical L1 switch moving it back and forth > > between separate physical networks once every few minutes. > > (Yes, these things do exist :)) > > Ehm... you're attacking your own standpoint now? ;) Hm, no, I don't think so. "Always answering" versus "seeing of the host is not there" is a good thing, I think. Unless you assume that the firewall itself can (easily) be attacked. I don't. :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
