Ask Firewall.cx:Stateful Firewall

Hello,

I was wondering whether stateful firewalls are really all they are cracked up to be. I can understand where in certian situations they would be helpful (FTP maybe) or where someone does not know in-depth firewall configurations. But really all someone would need to do is sniff the traffic and spoof an Ip. Does anyone know what ports it will open up or does it depend on the protocol?

Thanks

SLM

Hello,

I was wondering whether stateful firewalls are really all they are cracked up to be. I can understand where in certian situations they would be helpful (FTP maybe) or where someone does not know in-depth firewall configurations. But really all someone would need to do is sniff the traffic and spoof an Ip. Does anyone know what ports it will open up or does it depend on the protocol?

Thanks

SLM

Hi

It depens what kind of software you are using to soof and sniff the data from the firewall. Also depends upon the kind of algorithim that the firewall uses to secure the inside network from the external attack. The firewalls could be stateful firewalls , proxy firewalls or stateful packet filtering. Also some firewalls dont allow to send the data packet to get rerouted from its own interface. which makes the sniffing and spoofing really impossible.

But then there are the ways !!!

Sidd

Stateful inspection was supposed to be the security supersolution.. however it does have its weaknesses. First off, it doesn't open any ports (though the firewall itself may open ports to allow inbound connection for remote users etc), the stateful inspection just means the firewall keeps a record or 'state table' of all connections and if something belongs to an established connection it allows it through. This also saves on processing time.

Obviously this guards against things like an nmap ack or fin scan because the firewall looks at the packet and says 'nope, this connection never started' and drops your packets. But keeping state comes with its own problems. There are quite a few papers out there (I think one is called 'A Stateful Inspection of CheckPoint Firewall 1') which discusses how different vendors implementations have quirks in how they keep state.. including ways in which the firewall can be fooled into allowing connections..
On the lamer end of things im sure its quite possible to flood the firewall with packets till its state table is overloaded. But that would be quite pointless I'm sure.

With regard to spoofing IPs, its easy enough - whats NOT easy is getting the replies back ! in other words to hold up a spoofed connection, you're working blind because the data doesnt come back to you, but goes to the spoofed IP of course if the spoofed IP is on your network and you can stop it from responding with FIN flags when it gets the unsolicited returns, you can go promiscuous and sniff the returns for yourself ! but just holding the connection is difficult enough as you'll need to predict tcp sequence numbers etc.

Its not impossible of course ! I refer you to Kevin Mitnick vs Tsutomu Shimomura www.takedown.com (i think) which is probably the classic spoofing attack documented. The thing is, by virtue of the services Kevin was attacking (rlogin) he didn't need to see the responses and could work blind.

IP spoofing is something that sounds very grand, but trust me, implementation is something else. If you're familiar with linux and have a few boxes lying around, try replicating Mitnicks attack, with random sequence number generation and firewalls preventing internal ips coming from external interfaces, you'll probably find its quite a handful.

Of course, the theory is sound -- it can be done
Cheers,
Sahir.