[ale] little bit of security advice needed

[Transam]

> Date: Mon, 08 Jul 2002 10:19:30 -0400
> From: Dow Hurst <dhurst at kennesaw.edu>
> To: Jim Popovitch <jimpop at rocketship.com>, ale at ale.org
> References: <FMELKIGJMCKDEONBJEDGMENNDIAA.jimpop at rocketship.com>
> Subject: Re: [ale] little bit of security advice needed

> Is it possible to break thru the Linksys router with spoofed source 
> packets from an external source?  Has anyone tried this?  I was talking 
> with a guy who explained to me that a IPchains masquerading firewall I 
> had installed at a academic lab could be hacked by sending a spoofed 
> source packet containing an internal address of the masqueraded LAN.  I 
> probably didn't have a rule in place to deny such coming in on the 
> external interface, but don't have the rules to look at to check.  He 
> rebuilt the box as a custom iptables bridge with static IPs issued from 
> the institution this was at.  I am happy for my friend who owns this lab 
> since it sounds like this new admin is helping secure the lab properly. 

A quick look at the LinkSys Download site for their cable modem/router
has a claim that they will block spoofed addresses.  However, M$ also
claims that their software is secure.  I recommend against trusting it
unless it provides documentation detailing what type of spoofing it blocks
and how and/or testing it.  MANY firewall and VPN vendors publish misleading
and sometimes outright untrue claims.  (I've seen no evidence of LinkSys
doing this.)

> But, I was puzzled since I thought I had set things up correctly.  I 
> depend on a Linksys router at home until I get a Linux firewall in 
> place.  I really want to get that done since the Linksys router seems to 
> get confused quickly and lock up my external to internal SSH 
> connections.  Don't ever "ls -l" in an SSH session from outside being 
> forwarded inside or you'll lose the session.

If it gets confused, that is suggestive of software bugs.  Buggy code
usually cannot be considered secure.

I *know* the capabilities and limitations of IP Tables and IP Chains because
I've audited the source code!

> Dow

> Jim Popovitch wrote:

> >Hi Cade,
...

> "In theory" if the inside LAN is 192.168.0.0/255.255.0.0, spoofing
> packets from the outside will fail to get to the linksys router. This
> assumes that the ISP has properly configured routers to disallow
> unroutable packets in Internet space.

VERY FEW ISPs filter out such bogus addresses.  Nmap has the capability
of generating such bogus source addresses to demonstrate this easily.

> That said, many organizations DON'T have routers set up properly so a
> rule in iptables like:

> /sbin/iptables -A INPUT -i $outside_interface -s $inside_network -j DROP

> will block the spoof.

EVERYONE should have such rules in their Firewalls.  All of mine do.

> On Mon, 2002-07-08 at 10:19, Dow Hurst wrote:
> ...
> --=20
> James P. Kinney III   \Changing the mobile computing world/
> President and CEO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at verysecurelinux.com                [Please use for email to me]
http://www.verysecurelinux.com         [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.