Firewalls and old school attacks

I saw a really old fashioned denial of service attack today. A customer was concerned that they were seeing odd ICMP packets. ICMP is the protocol used for pings. Very few system admins bother to monitor them because they are generally rather dull. However, they used to be (and apparently still is) a denial of service attack called “The ping of death”. Basically, it is an ICMP packet with a big old buffer full of nonsense added to the packet. It would cause a buffer overflow in kernel mode and it would be lights out for that system. It isn’t a common attack any more because it doesn’t work – we fixed the last of the vulnerable MS operating systems back in 2000. Most other operating systems fixed it before then. The other reason is that many organizations block pings at the firewall for almost all addresses. There isn’t really a downside to this; why would you want people outside your firewall to be able to ask systems if they are online? The requests are normally just ignored.

I was discussing the matter with my colleague Lesley who is much more network oriented than me – and a smart cookie as I believe that I have mentioned before. She commented that there were some very clever people who thought that firewalls had reached the end of their life. Now, my first thought was “Sure, you can have my firewall when you take it from my lifeless hands” but now I am not so sure.

Most attacks are not against the OS any more. Blackhats go for the applications (specially created documents/streams) or the webserver (cross side scripting) or whatever. Sure, there have been some vulnerabilities that could have been exploited and people always look for more but that is not where successful attacks seem to be in practice.

Does that mean that it is safe to let any packet in? Would it be safe if every service on the network was 100% bullet proof? Well, no and no. It would be possible to flood the network even if nothing could be exploited. Anything that offers a degree of control is a help. There is also the question of disclosure. While security by obscurity is no security at all, it seems a gift to an attacker to let him know anything at all. There is a lot to be said for your company’s network being a black box to the outside world. However, the conventional firewall is not that useful. A lot of nasty things can route through port 80. Some good things too such as SOAP or whatever it is called these days. Marketing comes up with the names. We called it RPC over HTTP among ourselves. A nasty thing is often just a good thing misused. A firewall is not much use there.

NAT (network address translation) solutions have a lot going for them. To the outside world, you have a single address or a couple of addresses that represent some computers (probably) and have ports that represent something. No easy way of knowing what the ports represent. No easy way of knowing if 2 ports are on the same real system. No way of knowing what the topology is – and the conversation is set up by a request from the inside although some things have to be open such as email. So far so good.

But does this mean the death of the DMZ? Do you just replace the firewalls with NATs? That isn’t so clear yet… but yes, maybe the conventional firewall has served its time.

 

Signing off

Mark