Chapter 15 - Firewalls
blog December 19th, 2006
Overview
Originally, this chapter was going to be about auditing firewalls, NIDS, and NIPS software. In the past, these have been some of our most fun auditing projects, so we were quite excited at the thought of getting to dedicate a chapter to picking them apart. There’s lots of great logic problems that surface when you try to evaluate this code, especially when you start looking at trying to trick stateful inspection and protocol state machines. Unfortunately, we were a little too ambitious in our planning, and as the deadlines whooshed by, we had to scale back our coverage. So, NIDS/NIPS got cut, and the firewall coverage never got fleshed out to the level that we would have liked. That said, we think there’s some good ideas in here, and some pointers towards topics for future research for those of you that are so-inclined. Hopefully, we’ll get to revisit this in a future edition and do it up proper.
External Resources
Thomas, Dug, and John’s Stateful Inspection of Firewall-1 Blackhat Presentation
Thomas, Dug, and John’s Stateful Inspection of Firewall-1 Blackhat Paper
External References
Jim Stickley’s Gauntlet Advisory (Page 896)
Cyberpatrol Gauntlet Advisory (Page 896)
Paul Starzetz’s "Ambiguities in TCP/IP - firewall bypassing." (Page 898)
Thomas and John’s Linux ipchains Advisory (Page 903)
Lance Spitzner’s "Understanding the FW1 State Table." (Page 906)
Thomas’ Fragmentation attack against IP Filter Advisory (Page 907)
Thomas’ Firewall-1 Fastmode Vulnerability Advisory (Page 909)
Mirrored Software
Linux 2.2.0 net/ipv4/ip_fw.c - ipchains TCP SYN Ambiguity, page 898
Linux 2.2.0 net/ipv4/ip_fw.c - ipchains Fragmentation Vulnerability, page 904
Linux 2.2.0 net/ipv4/ip_masq_ftp.c - ipchains FTP Layering Vulnerability, page 911
Relevant Blog Posts
Further Reading and Discussion
More to come.
