More March 2000 Windows Digest...
Excel 97 Easter Egg
· In Excel, create a new worksheet.
· Press F5; in the resulting dialog box type "X97:L97"
(without the quotes) and press Enter.
· Press the Tab key.
· Hold down Ctrl+Shift and click on the Chart Wizard toolbar
What you get at this point depends on whether or not you have
Microsoft's DirectDraw video software installed. I don't, and
simply got some animated credits. People with DirectDraw will
instead enter a 3-D world in which you navigate with the mouse,
using the left mouse button to move forward and the right mouse
button to move backward.
and Stateful Inspection
(The following although not a complete republish is very heavily
borrowed from a PDF I received from a vendor recently)
Nobody can disagree that the Internet Security industry has
grown tremendously over the past few years. That growth has left
many people empowered to recommend or purchase new firewalls
and or gateways in a state of perpetual confusion. Check Point
FW-1, Raptor, Guardian, Cisco PIX, with all the options how do
you know which is best for you and your company? It boils down
to packet filters and application gateways. Credits to the members
of the Internet Firewalls mailing list who put together much
of this information.
First lets look at the first generation firewall sometimes
referred to as a Packet Filter. What is a packet filter??? Simply
put a packet filter initiates a process that allows or denies
the passage of traffic between networks based on the header information
in each of the packets. A packet filter can take advantage of
such header information to include Source address, Destination
address, Port or Service and some other information is available
for the device to use in establishing rule sets that will allow
or deny the packets into a given network. A Cisco router could
be configured using Access Control Lists to filter certain types
of traffic. This process is often referred to as Static Packet
There are some advantages of static packet filtering which
· Low Overhead / High Throughput
· Inexpensive or Free
· Easy to manage network traffic
Some of the disadvantages in using static packet filtering
· Allows a direct connection to internal hosts by external
· Permanently leaves holes open in your network perimeter
· Quickly becomes unmanageable when used in complex environments
· Remains vulnerable to attacks such as "spoofing"
source addresses, unless specifically configured to prevent such
· Offers no user authentication (Unless coupled with a
Radius or Tacan + server)
Note: It has been several years sense I have seen an Enterprise
take advantage of static packet filtering.
To address many of the disadvantages associated with using
static packet filtering, techniques to introduce dynamic packet
filtering were developed. Dynamic packet filters unlike static
packet filters open and close doors in the firewall based on
header information in the data packet as described above. Once
a series of packets has passed through this "door"
to its destination, the firewall than closes the door. Stateful
packet filtering is an enhancement to dynamic packet filtering.
Stateful packet filtering makes sense out of higher-level protocols
and adapts filtering rules to accommodate the needs of the specific
protocol. (e.g., simulated connections for connectionless protocols
such as NFS and RPC services). The stateful packet filter will
keep track of state and context information about a session often
arping much of the information to an ARP table for future reference.
Check Point FW-1 is an example of a stateful packet filter AKA
Stateful Inspection. In Check Point's implementation of stateful
packet filtering the inspection module sits between the data
link layer and the network layer of the OSI model. (For more
information on the OSI model read "TCP / IP Blueprints").
The addition of tracking a packets "state" may increase
the security of the basic filter, but it does not address the
content of implications of the traffic being handled.
To make a point here take the following example under consideration.
You've configured your Check Point Firewall with Network Address
Translation mapping the external routable IP address of (184.108.40.206)
to the DMZ address or internal network address of (192.168100.253).
In this example 192.168.100.253 is a IIS 4.0 Web Server running
under Windows NT 4.0 SP6. You've restricted allowable packet
traffic to only port 80, this is your web server, serving content
to the WWW and having no use of SSL or port 443. An attacker
uses a buffer overflow that makes its way to the target on port
80. Take for example the overflow constructed by EEYE a full
disclosure security team (http://www.eeye.com). So the attacker
sends his payload to the webserver on port 80. The same port
that his browser would initiate a HTTP GET request to. The traffic
containing the malicious pay load reaches the Check Point Firewall
where checkpoint applies its rule set and notices the port the
packet is heading to is port 80 and the destination is 220.127.116.11.
Checkpoint would route that packet to our web server at 18.104.22.168.
The web server would receive the network traffic containing the
overflow and instruction to download and execute the Trojan of
our choice. Valla the IIS server crashes and on its way down
downloads our Trojan Horse. When the Web Services are stopped
and restarted or the server is rebooted by an admin our Trojan
is deployed. We now have our foot hold into the targets network.
Their nice fancy Check Point Firewall did nothing to stop our
Some advantages of using a dynamic packet filter are:
· Only temporarily opens holes in the Network Perimeter
· Low Overhead / High Throughput
· Supports almost any service (e.g., back-channel services
(life FTP) have to be handled as a special case)
· Very easy to establish rule sets (low number of rule
sets are typically needed)
· Easy to manage
With the amount of time a hole in the perimeter is left open
greatly reduced, many of the attacks that worked against static
packet filters are more difficult and in some cases impossible
to use against a dynamic packet filter. Being as there is very
little work done outside of routing traffic the system overhead
is very very low. Similar hardware platforms will often produce
much much higher throughput when using dynamic packet filtering
as compare to using an application gateway.
· Allows direct IP connections to internal hosts by
· Offers no user authentication (without the use of OPSEC
· Can support any IP service (can't differentiate between
a telnet connection to port 80 and a http get request)
Dynamic packet filters do well in reducing the amount of exposure.
External systems while adhering to the rule base of the dynamic
packet filter are still able to make an IP connection with an
internal machine (IF Network Address Translation is enabled).
(Note: It's good to use Network Address Translation, assign non
routable internal network IP addresses to your workstations and
servers on the LAN. This prevents external hosts from attacking
your internal network unless of course they take over your dynamic
packet filter J .) Although spoofing is a well known vulnerability
for Internet sties most modern dynamic packet filters include
fixes to most known methods of spoofing. The problem still remains
in the trust that is placed in an external system based almost
solely on its IP address. Do to the frequent lack of user authentication
even if the incoming connection is from an approved host there
is no check that the machine is being operated by an authorized
owner. In other words, if a cracker has compromised the external
host it can be used as a gateway to your internal network.
Next we have Application Gateways. An application gateway
is a firewall system in which service is provided based on processes
that maintain complete TCP connection state information and sequencing.
Application gateways are also capable of performing Network Address
Translation and IP masking. When IP masking is used any outgoing
traffic from the internal network is rewritten at the application
gateway and sent out onto the Internet with a Source address
equal to that of the external interface of the gateway. (Note:
Check Point supports this functionality!) Depending on who you
ask its generally thought by many security experts that application
based firewalls provide the most security. All connections to
any internal host are proxied through the firewall. An application
level firewall is distinguished by the use of security proxies
(application gateways) for services such as FTP, TELNET, etc.,
which prevent direct access to services on the internal network.
Some advantages of application gateways are:
· Do not allow any direct connections between internal
and external hosts
· Support user-level authentication
· Analyze application commands inside the payload portion
of data packets (An application gateway had a strong chance of
catching the malicious content we sent to the WWW server in the
· Keep comprehensive logs of traffic and specific activities
(Check Point does have some nice logging abilities)
Do to the fact that application gateways essentially proxy
everything, no direct connection is allowed through the firewall
in any circumstance. As an example, if you wanted to establish
a FTP connection to a FTP server on the targeted network and
that network was using an application gateway configured to allow
FTP sessions to the FTP server than you would maintain a connection
with the application gateway which would actually be the machine
making the connection to the FTP server and than relaying the
data back to you. An application gateway will inspect a packet
and its payload before passing it along to an internal host,
if the payload is likely to do the recipient harm it will be
discarded. Using our attack against the IIS server earlier, the
following would likely have taken place had an application gateway
been installed. The buffer overflow destined to the IIS server
would have been sent to the application gateway. The application
gateway would have inspected the packet and seen that it was
headed to the WWW server, it would check the source address and
destination address along with port against its rule set to see
if the packet could be routed through. (Much like a dynamic packet
filter up to this point). However, the application gateway would
than carry the packets being sent to the WWW server further up
the OSI model to the application layer where it would have noticed
that this was not a HTTP Get Request at all. Sense it is only
configured to route WWW requests it would have discarded the
malicious traffic and our attacker doesn't get his foothold through
Some disadvantages to application gateways are that they:
· Are substantially slower than packet filters and
as such require more overhead
· Require the internal client to know about them
· Do NOT support every possible type of connection (Certain
services may not work!)
Application gateways are ALWAYS slower than their stateful
inspection counterpart. This is do to the fact that the application
gateway has to manually inspect the incoming traffic, routing
it all the way up the OSI model performing a number of checks.
Fortunately with the speeds of today's servers this overhead
can typically be handled without much problem. The problem with
not all services being supported can be explained as following.
Say for instance that there is this new application on the Internet
called "UberApplication". Internal users want to use
this new UberApllication and the business approves the use of
the new UberApplication. The application gateway approach will
not let the traffic through the firewall until it knows exactly
how the application works and what can be done to keep it from
damaging the internal network. If there is no "snap-in"
available for the application gateway than the traffic cannot
be allowed through. Most vendors producing application gateways
provide tools to create "generic proxies". Vendors
can often be measured on how quickly they can produce the "snap-ins"
for the latest applications on the Internet. It should be noted
that many application gateways such as those produced by Axent
Technologies (product is called Raptor) could be configured to
function as a Stateful inspection based packet filter. So with
the purchase of such a product as Raptor you can configure it
to function either as a dynamic packet filter or as an application
So we are left with a few observations. Stateful packet filters
are faster than application gateways. This is common sense do
to the fact that inherently they do less work, less security
processing. Stateful packet filters are less granular than application
gateways; they do not do any verification of the protocol. An
application gateway will look more closely at the data. To quote
Bill Stout a security expert who posts to the firewall mailing
list, "The purpose of a security device is to protect a
network, not to be fast. Fast is what airline travelers want
when passing through airport security, secure is what they want
when they are tumbling through the air after their plane blows
Recommendation??? Well Stateful packet filters are adequate
for low risk Intranets, or in situations where raw throughput
has priority over security. Application gateways should be the
technology of choice for organizations that have extremely high
More Happy Hacker Windows Digest,