[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] How do you hide/stealth your firewall...ideas?
I know other people have asked about this, but I have never seen a solution that I liked. Traditionally, 1) You can just put in the venerable STEALTH rule and drop all ICMP traffic or otherwise that is directed at the firewall's interface. Thus, in traceroutes people will see a hop that is non-responsive. This means blackhats will know what is there, and others will just think something is broken. 2) You could allow the firewall to send ICMP responses, but of course this would let everyone see your firewall and probably fingerprint the O/S if they are good enough. This is not really an option...IMHO 3) It would be nice if Firewall-1 could pass ICMP traffic without decrementing the TTL, however I have yet to see a published method of doing this. Perhaps some inspect code could do this? (perhaps I should spend some time researching there...) Anyway, until someone can tell me how to accomplish #3, I have an idea that I haven't tried yet but I think it would probably work pretty well. (I apologize if anyone else has already posted this idea) Basically, it involves putting one of those old 25xx routers into service but without it actually routing anything. You could also put an old version of IOS on it, and probably leave all the nasty stuff running like finger service etc, to make it look a router everyone is familiar with. Address the eth0 interface on the 25xx router to be on same subnet as the hosts reachable via your firewall. Next step is to configure your firewall to actually respond to ICMP requests, send ttl-expired, unreachables, etc etc... Src, Dest, Svc, Action Firewall, any, ICMP_Evil, Accept However, in your NAT tab put a rule in place to change the source address of the ICMP packets to that of the 25xx router. Orig Src, Orig Dest, Orig Svc, Xlate Src, Xlate Dest, Xlate, Svc Firewall, ANY, ANY, 25xx_router, original, original So in this fashion, when a TTL expiration is sent, it comes from the source address of the 25xx router. Probably good idea to put the address in dns too, with something like "rtr-2514-2" etc etc. If a blackhat decides to probe that address, he will see a real router with all the trimmings. In addition, you could have this router monitored by NIDS and tell it to ignore ICMP, however the signatures for router/firewall or other type attacks tuned up. There are other various implementation details that I won't go into. I thought about drawing a text-based diagram but those never seem too look like anything but gibberish... =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|