How do experienced users test stateful firewall with TCP/IPv6?
My test case includes:
- echo reply without request
- tcp ack without syn
Are there any more test cases, especially with IPv6?
Asked
Active
Viewed 2,523 times
6
Scott Pack
- 15,167
- 5
- 61
- 91
deepsky
- 161
- 1
- 3
-
By stateful firewall, are you limiting this question to tcp connection state? – Dog eat cat world Oct 15 '11 at 21:47
-
No. Also includes IP layer. – deepsky Oct 16 '11 at 10:33
2 Answers
3
NAT Traversal
A method for two clients, each isolated behind separate firewalls working in NAT, can establish communication with each other, even if the connection is explicitly allowed.
UDP packets does not contain any state. When an initial UDP packet leaves the firewall with NAT, it will allow UDP traffic to be returned through the same "session".
When to clients starts mass-sending udp packets at each other (same source/dest port tuple), at some point, both firewalls will believe that they initiated the traffic, and allow traffic between the two clients, each isolated by a NAT firewall.
http://en.wikipedia.org/wiki/UDP_hole_punching
Connection Tracking
Some firewalls does not only track connections based on tcp connection state, but also the application protocol's request to i.e. send a file over irc or ftp. While this is a feature when it works as intended, it can also be used to make the firewall open up for unintended connections.
An example of this is the XSS IRC DCC attack: http://encyclopediadramatica.ch/Firefox_XPS_IRC_Attack
Dog eat cat world
- 5,759
- 1
- 27
- 46
2
Sounds like you will want to settle in with a cup of coffee, a copy of the spec, and the libpcap man pages.
It should not be too difficult to write a program that will craft and transmit these packets for you. The high level flow will be
- Iterate through your use cases (let's use the echo reply for example)
- Fill out the data structure that contains the appropriate physical header with appropriate addresses
- Fill out the IP header data structure with the appropriate addresses and flags
- Fill out the ICMP data structure with the echo reply type codes and an appropriate payload
- Copy all of these pieces into a char*
- Open a RAW socket and send your char* packet out the wire
After you build this out for each of your test cases you can just run the app and watch the firewall for correct behavior. I would, of course, capture the traffic and make sure something like wireshark decides it properly as part of your testing/qa process.
Scott Pack
- 15,167
- 5
- 61
- 91
-
Thanks for you kindly advisement. But I do have the test tool, which is a python program Scapy. My question is what kind of test case should I use to exploit the vulnerability of the STATE firewall? I just know some very simple test cases, such as test case for TCP 3 way handshake. – deepsky Oct 16 '11 at 14:10