[HN Gopher] Asymmetric Routing Around the Firewall
___________________________________________________________________
Asymmetric Routing Around the Firewall
Author : sprawl_
Score : 29 points
Date : 2024-04-11 21:42 UTC (2 days ago)
(HTM) web link (devnonsense.com)
(TXT) w3m dump (devnonsense.com)
| unethical_ban wrote:
| >Later, when I realized that inbound traffic was bypassing the
| firewall, I notified UC Berkeley's Information Security Office of
| the potential security vulnerability, but their response was
| somewhat lacking in urgency. So we'll see.
|
| If I were on their infosec team I wouldn't ignore it, but also,
| infosec and network often different silos. If network was already
| notified, infosec can't do much but complain.
|
| And, it seems the network was somewhat secure anyway. Any inbound
| scan or malicious traffic would get dropped going outbound, since
| there was no session on the outbound firewall.
| ikiris wrote:
| > Any inbound scan or malicious traffic would get dropped going
| outbound
|
| There are lots of types of maliciousness that would not be
| affected by this.
| unethical_ban wrote:
| True. I was thinking exfil and communication. Of course
| fuzzing/DoS is doable.
| chaz6 wrote:
| I have run into this, and I got tipped off by the very specific
| session timeout that was set on the firewall. The session would
| come up and work for around 30 seconds, then stop. The outbound
| packets were going to the firewall but being returned from a
| different address on the same subnet. The firewall would stop
| forwarding the outbound packets after the session expired since
| it did not observe the session being established (as the reply
| packets did not traverse the firewall).
| tranxen wrote:
| Glad you found out. Good job !
|
| Also usually firewalls are not decreasing packets IP TTL which
| make them invisble to traceroute.
|
| You are lucky this one does not.
___________________________________________________________________
(page generated 2024-04-13 23:01 UTC)