[c-nsp] Firewalls in front of Internet servers (was: cisco-nsp Digest, Vol 83, Issue 39)
Peter Rathlev
peter at rathlev.dk
Mon Oct 12 16:10:22 EDT 2009
On Mon, 2009-10-12 at 09:19 -0700, Joel M Snyder wrote:
> You may remember last year's "the Internet is falling and only Dan
> Kaminsky can explain it" flap around DNS. Well, a lot of the
> discussion around this bug/problem/issue ignored the truth that a good
> firewall prevented the attack directly, by knowing enough 'deep packet
> smarts' around the DNS protocol that the attack scenario was
> effectively blocked (hey, that's why we have a session table in the
> first place!).
The "Kaminsky attack" only makes sense towards recursive resolvers, and
I think most posters here are thinking about authoritative Internet
facing nameservers. Who runs a recursive nameserver open towards the
Internet now adays?
Even so: The nameservers make outbound requests and for those it sort of
does make sense to have stateful inspection. Except AFAIK the Kaminsky
attack works with spoofed answers, i.e. spoofing both source IP and
ports and query ID. How would a firewall (including DPI) catch this? By
randomizing source ports or query IDs like TCP sequence number
randomization? I'm not sure I agree that's a good idea. By denying all
but one answers? Perfect way to DoS yourself.
> Similarly, a well-configured firewall would have per-IP rate limits in
> it, which would have been a second line of defense.
Um... wouldn't that just make a DoS attempt even easier for an attacker?
> Now, if you put in a piece-o-crap firewall that is misconfigured, too
> slow, doesn't have a big enough session table, and doesn't do anything
> more than your average reflexive access control list, then you're
> right on: rip that junk out and go bareback.
>
> But if you do it right, there is value to be provided by a firewall.
As always, costs are important. Why should I spend $$$ for a large
enough firewall that doesn't give me any extra value?
--
Peter
More information about the cisco-nsp
mailing list