On Mon, 15 Apr 2002, Diederik Schouten wrote: > > Blocking traceroute isn't exactly rocket science. > > A determined firewall aims at blocking _firewalking_, plus > > variations thereof, by default. Are you suggesting that > > this won't stop that measly traceroute? > > I'm not talking about blocking a protocol. > When the firewall is not a hop, it doesn't show up.
s/doesn't show up/sometimes doesn't show up/ > > > Unless you know it's IP address already you will not be able > > > to find it. > > > > Nmap will tell me it is there in about 10 seconds. I betcha its > > signature sticks out like a sore thumb too. > > I betcha it won't. > What ports would NMAP check to see if it's there? > How to decide what/where a device is when it does not respond to anything? If it modifies the packets in any way (see ISN discussion on proxy vs. stateful thread), or behaves differently than a host behind it that's reachable, then it's possible that it's detectable. Perhaps even with NMAP's OS guess feature. If it simply drops or accepts packets, then it's more difficult to detect, but less protective. > And still... where would the "intruder" need to be to break you VLAN > security? At least his trojan needs to be located on the same LAN... These days that's a trivial bar for a targeted attack, and that's without even looking at Code Red, or Nimda[1]. > How to protect a banks money when the fire has started within the safe? FM-200 suppression system in the safe, if banks kept more than trivial ammounts of money in safes anymore. > I'm not sure if your firewall is doing proxy arp, but I suppose so, I prefer > layer2 bridging over proxy arp any time. A layer 2 bridge has to look at a lot more packets (all of them) than a proxy ARPing firewall. > I'll be able to find your firewalls MAC addres when I'm located on the same > LAN, you wont be able to find mine. You have to expose the MAC address of anything beyond the firewall, that's sometimes a worse evil, especially if there are several things in the network immediately on the other side of the firewall. If you wanted to add some complexity, you could always have the proxy ARPing firewall ARP with the "real" MAC address from the other side and listen on that MAC on the near interface. I'm not sure the gain is worth the additional code, but it's not precluded by architectural impossibility. > When looking for firealls, if I were a hacker I would first go for the > devices on the edge of a network, and that's where the routed firewalls > would be, the bridged ones won't be there, they might be, but that would > defeat the "invisibility". Depends on your target. These days people pass enough bad stuff that going after a "protected" client is probably the best endgame in most situations (unless your target is a DB system on a service network to one side of the firewall.) > More improtant than bridged vs routed is how secure the firewall really is. Indeed. Paul [1] 68% of North American companies experienced a Nimda event. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
