-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Was the offending vendor named so folks can make a proper informed
decision on security perimeter devices?
thanks,
Ron DuFresne
On Wed, 4 Apr 2007, Jim Seymour wrote:
>
> Mystery solved.
>
> Jim
>
> ----- Begin Included Message -----
>
> Date: Wed, 4 Apr 2007 14:13:33 -0400
> From: Ereshkigal
> Subject: Update on 1720/1863
>
> Again, permission to cross-post granted. Hopefully, it will get
> cross-posted to wherever it got cross-posted initially so that those
> who have been fretting will be able to relax a bit.
>
> It looks like this is actually not malicious, although it is, in my
> opinion, Very Bad Form. It appears that there is a helper feature on
> some of the firewalls that "a top 5 firewall vendor" produces that
> causes the firewall to send an ACK to any probe that crosses the
> firewall on ports 1720 and 1863 back to the originating host. This
> is enabled by default. As far as I know so far, it's only on one type
> of firewall by this vendor.
>
> Basically, any and all connections attempts that we sent out to 1720
> and 1863 that crossed this firewall returned an ACK. If we tried to
> connect to the port on the IP, the firewall itself would accept the
> connection. Yesterday, we stumbled on the fact that the firewall
> would even take connections for IPs with no active hosts.
>
>> From the information that we've been able to get, this was discovered
> this last week. The responses that we (and several others) were
> seeing to 1720 and 1863 were actually outbound connection attempts
> from our own hosts to the destination hosts that were intercepted and
> returned by the firewall, giving the impression of running services on
> the systems from anyone behind this particular type of firewall
> anywhere in the route with the helper enabled.
>
> I have heard of a few reports of people using IPTables and Netfilter
> seeing this, too, but need to confirm that this particular firewall
> isn't somewhere along the route between the two systems.
>
> ----- End Included Message -----
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGJRgOst+vzJSwZikRArW+AJ4s4c5S7lXhHu6PUtuRTMUcsMvVywCgtczE
CBrQ+Gl/7ELtejyqv1M8i5U=
=2o2Z
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|