[Dshield] testing a firewall

Chris Brenton cbrenton at chrisbrenton.org
Tue Dec 23 16:37:40 GMT 2003


On Tue, 2003-12-23 at 11:10, Roman Fomichev wrote:
> this can be done only if firewall is simple stateless packet filter.
> but i firewall use stareful inspection or proxies, than this method 
> woudn't work

This is not a dig, but rather a clarification. Most stateful inspection
firewall actually "inspect" very few applications. Even when they do its
more for functionality rather than security. I've blown past more SI
firewalls on ports 53, 80, 443, etc. using netcat or SSH than I could
ever remember. You need to look at the vendor implementation and look at
what they are inspecting and how to get a handle on it. If an app is not
inspected SI will fall back on stateful filtering or (gulp) static
filtering.

As for proxies, again it depends on whether they are application aware
or not. Most are, but there are quite a few plugs that have been
deployed on numerous firewall products that do little more than pass the
payload unchecked. Again, you need to look at the vendor implementation.

So I agree that if SI or proxy technology has been implemented
_properly_, the nc test should fail. My experience has been quite the
opposite however.

Hey look Johannes, a bunch of posts that don't mention sp_m! ;-p

Happy holidays all,
C





More information about the list mailing list