|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall comparison in Data Communications
Chris Brenton (cbrenton
sover.net)
Wed, 02 Jun 1999 07:05:04 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Carric Dooley: "Re: Firewall-Wizards Digest V1 #311"
- Previous message: Robert Graham: "Firewall RISKS"
Brian Steele wrote:
>
> <newbie-mode>What's a "source-routed packet"? And what danger does it pose
> to a Firewall?</newbie-mode>
From:
http://www.geek-speak.net/papers/Fwfaq2.htm
What is source routed traffic and why is it a threat?
Normally the path a packet follows from its source to destination is
determined by the routers between these two systems. The packet itself
only says where it wants to go (the destination IP address), and nothing
about how it expects to get there.
There is an optional way for the transmitting system (the source) to
include information in the packet that identifies the route the packet
should follow in order to get to its destination; thus the name "source
routing." For a firewall, source routing is noteworthy since an attacker
can generate traffic claiming to be from a system "inside" the firewall,
even though the transmitting system is located out on the Internet
(referred to as IP spoofing). The source routing information would then
be used in reverse in order to return the reply to the attacker’s
machine out on the Internet. Implementing such an attack is very easy;
so firewall builders should not discount it as unlikely to happen.
In practice source routing is not popular. In fact, the legitimate use
is in debugging network problems or routing traffic over specific links
for congestion control for specialized situations. When building a
firewall, all source routing should be blocked. Most commercial routers
incorporate the ability to block source routing specifically, and many
versions of UNIX that might be used to build a firewall bastion have the
ability to disable or ignore source routed traffic.
Cheers,
Chris
-- ************************************** cbrenton* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
- Next message: Carric Dooley: "Re: Firewall-Wizards Digest V1 #311"
- Previous message: Robert Graham: "Firewall RISKS"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT