I really wish a firewall would have . .

Discussion in 'other firewalls' started by TECHWG, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. TECHWG

    TECHWG Guest

    If a firewall can stealth all ports that are closed, then why cant they tarpit all of them? Think about it. If you are stealth apart from x y and z ports then they know whats what very quickly. If all your ports seemed to be open and the firewall delt with them as 8sign does and keeps in internal and uses no resources for the "tarpitted" ports then their scanns would come back all open but they dont know what to do and how to do it. they would have to telnet all the ports and see whats what. I tried to tarpit all incoming with 8 signs but it takes it too literally. Any ideas or thoughts on this?
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Because tarpitting requires a firewall to do extra processing on incoming packets. Because tarpitting requires a firewall to maintain unnecessary (and unwanted) network connections. Because tarpitting can have a negative impact on legitimate resources (e.g. if you connected to a server which was slow to the point of causing your browser to time out, your firewall would notice the connection closure and then tarpit subsequent responses from that server, resulting it its resources being wasted). And finally tarpitting requires a firewall to accept and process unsolicited incoming packets (rather than just checking and discarding) which increases the chance of any coding error resulting in a buffer overflow vulnerability.

    In summary, tarpitting is useful for some individuals but is not a technique that should be used by everyone.
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well some firewalls are half working, some work very good and some don't work at all. And there are also those that work different way as you mentioned.
    But take the whole port thing like this.

    We have 65536 ports available. Lets compare them with doors.
    We have building with 65536 doors.

    Whats better? To have all doors open, all closed or the fact that we don't know for sure if doors are actually there. We don't even know how many of them are there (ok we know there can only be 65536 doors).

    Now if it's closed we know they're there, they're just closed. If they're opened we know they're there and we can even easily try to enter.
    Now stealthed are another story. We don't know if they are there, we don't know if the are opened or closed. Firewall will always "respond" with "Destination unreachable". And thats the same like port scanning of ports on IP whos PC is turned off or disconnected...
     
  4. TECHWG

    TECHWG Guest

    Rej . . . Tarpitted ports are "not there" the ports are not "open" they are just being accepted by the firewall so that the firewall can do what it need to keep the connection alive . . Stealth and Tarpitted adn be used interchangably in that scenario . . you dont know what doors are real and not. Yes the only thing with stealth if you dont have any services loaded is that you "may" not exist. I personally have an ftp server running on my pc so i never ever get stealth status. My method is if they can find out i am there and see the 1 port i have open Umm i may as well advertise the fact i am here by seemingly open a whole bunch of ports that dont exist to protect mysystem.
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Firewalls "stealthing" ports will not reply with an ICMP Destination Unreachable packet, they simply discard incoming traffic without any reply. Sending a Destination Unreachable response is "normal" behaviour to indicate a closed port.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Do you recommend permitting ICMP 8 (Dest. unreachable) inbound/outbound from any source?

    What about for ICMP 0 (Echo request)?

    Thanks,

    -rich
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Rmus, I think you mean ICMP 3, right?

    Typical procedure is to allow Type 8 out (ping) and Type 0 (reply) in. For ICMP type 3, I think it's usually allowed in as it's sometimes needed, and it's typically allowed out usually to one's DNS servers only, or perhaps not at all.

    I think it varies from person to person. If I remember right (I am trying!), Kerio 2 went by the above suggestions. Some other firewalls default to allowing Type 3 in and out. Some just in. I think there is some debate on Type 3 rules..
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Last edited: Nov 22, 2005
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, esp. in the old Kerio forums. (yes, I meant type 3, not 8 )

    I just looked at Paranoid's rules and he explains the pros and cons well.

    I also notice he suggests using separate DNS entries for each application, which I do - it's the only way to prevent the DNS exploit.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  11. Arup

    Arup Guest

    Separate rules for DNS is fine unless using a program like Treewalk where you have to give fully TCP/UDP rights and that too on top priority as I did with Kerio 2x rules, but there is no chance of poisoning with TW.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Bah i messed something up. The firewall accepts ICMP Ping Reply packets but doesn't reply to them. Thx Paranoid2000 for fixing that...
     
  13. TECHWG

    TECHWG Guest

    lol @ rej
     
Loading...
Thread Status:
Not open for further replies.