OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Antwort: Re: Facts, not Fiction

Re: Antwort: Re: Facts, not Fiction

Darren Reed (darrenrcyber.com.au)
Tue, 11 Nov 1997 14:41:55 +1100 (EST)

In some mail I received from Hartmut.FehlingHamburg-Mannheimer.de, sie wrote
>
> So the question is: Is it smart to take the abilities of a FW-Host for
> granted and protect the network / the connected hosts only against stuff
> the FW-Host cannot protect against?
>
> Example: I have an NT-Host behind the FW which is vulnerable to POD or
> NetBIOS-Attacks. However, the FW-Host is supposed to filter out this kind
> of traffic. How far can I trust the _current_ products to do just that?

What's "this kind of traffic" ?

In theory, one might adopt a high moral ground and say that so long as
the firewall keeps minimises _security_ risks, its doing its job. Now
it would appear that the firewall's job is being expanded to include
defense/protection against DOS and other attacks, which whilst not a
direct security threat, per se, do affect systems availability on the
"inside" and protection from them is perceived to be within the domain
of the firewall.

getting back to your question, I think there are two ways to answer it.

Firstly, your firewall is only allowing in traffic you have agreed to
let in. In the case of the POD, I would class that as a configuration
problem as ICMP should not be allowed in, regardless of whether it is
a PING or not. Second, both the POD and URG pointer attacks exploit
"application" errors, where the application just happens to be the OS
or TCP/IP stack. I'd argue that the only way to knowingly be safe from
those is to use the "air gap" or go back to UUCP for mail/news/ftp.
Although with UUCP you're not protected from someone exploiting an
unpatched sendmail bug unless the firewall traps it...

The other tack is to demand firewall implementors to protect you from
every known problem - or at least the option of having that in place.
However, there's a certain amount of platform dependency in these bugs.
Both the examples you gave have limited scope and are not universal
problems. How long before a bug is the result of a misimplented feature
and protection from it causes a reduction in service for some ?

The issue of difference in protection with the URG pointer bug between
SPF's (i.e. FW-1) and proxy servers isn't so much a case of the proxy
countering the attack as it is the proxy becomes the host which deals
with the full TCP/IP interaction (compared to the SPF which just tries
to follow what's going on).

If I could attempt to make a bad analogy here, having a proxy server
is like having a good/expensive lawyer/accountant who deals with everything
for you and on your behalf whereas the SPF is where they look at things
and try to decide what to throw in the bin or actually pass on to you.
(Please, I hate trying to draw analogies anyway, so I don't need to
 know about better ones, just how bad that one is).

Darren

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT