I would check out, http://www.monkey.org/~dugsong/fragroute/, there has been a lot of talk lately about fragroute bypassing snort detection. But it could be used against stateful firewalls as well.
-Jason > -----Original Message----- > From: Ferry van Steen <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Sent: 23/04/2002 11:19 > Subject: How to get through iptables/NAT, reality and risk calculation > > > Hey there, > > first of all, please don't get me wrong. I don't want to know how to crack a > firewall, I just don't wanna think I'm secure whilst I'm not. > > The case is this, at several locations I've set up a linux box for the > internet traffic. These boxes are configured in such a way that they don't > have any open ports (or atleast, not on the internet side). This is > accomplished by simply allowing all traffic from the local LAN but only > accepting traffic from the internet part of an existing connection (with the > iptables -m state --state ESTABLISHED,RELATED). > > Now, to me, as starting security engineer (security-guru-wannabe or whatever > the phrase is), this looks uncrackable to me (unless people download and > install trojans that connect to IRC n stuff, which is allowed (atleast, > according to traffic rules :-))). What should I be aware of? Could people > for instance get data into the network by hiking along on a connection > somebody set up with a webserver (or any other service for that matter)? The > people on these locations are allowed to do whatever they want, they can > IRC, MSN, ICQ, HTTP, HTTPS, etc... Would it be possible that the linux box > gets hacked due to a TCP/IP stack bug? I'm just sucking things out of my > thumb here so I hope they make sense. Every knowledgeable security engineer > I ever spoke say nothing is uncrackable, so I'm just trying to figure out > the ways they still can get it so I can do things to prevent those and/or > atleast analyse the risk and have a knowledge of the possibilities so I > won't be utterly suprised somewhere in the future without a clue as to where > to look and how to trace it back. > > I'm really sorry if this has been discussed before... The site is really > slow at the moment. In any case all info is welcomed (URLs, books, > references, user stories, experiences... whatever). > > Btw.. I'm subscribed to the list on another email addy than this one. I am > subscribed tho'. Replying to either this email ([EMAIL PROTECTED]) > or the list would be fine. > > Kind regards and TIA, > > Ferry van Steen >
