Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FW-1 log viewer "radiates"

0 views
Skip to first unread message

Jim Rosenberg

unread,
Jan 9, 2002, 11:09:36 AM1/9/02
to fire...@lists.gnac.net
I'm not sure how much to make of this problem, but I know it makes me
feel uneasy. Perhaps this has been discussed a lot, but I suspect
the problem is not well known; it was certainly a surprise to the on-
duty technician at the company that does our firewall support.

Unless you tell the FW-1 log viewer not to resolve IP addresses, it
appears it goes through the following process to resolve an IP
address. (I *think* I have this order correct; someone PLEASE speak
up if I've got it wrong.)

1. It looks in its list of Network Objects to see if you've given a
name to this IP address. If it finds one, it will use this one,
regardless of other methods of resolving the address.

2. It queries the IP address in question trying to resolve its
Netbios name.

3. It queries DNS to reverse-resolve the IP address.

The problem is #2. It appears there is no way to tell the FW-1 log
viewer to continue to try to resolve IP addresses using 1 and 3 but
to turn off 2. I would very much like to be able to do this.

In my opinion, trying to resolve the Netbios name is a complete
botch, on several counts:

1. It is generally speaking *USELESS* information. (I suppose it
could be quite useful to crackers, but what good does it do *ME* in
defending my system against flying infectious space junk to know that
someone scanning me has named their computer PLUTO or hasn't changed
it from OEMCOMPUTER?)

2. The Netbios query goes directly to the computer that is scanning
me (unless the IP address is spoofed, of course ...) There are lots
of reasons not to want to do this. It turns *me* into a Netbios
scanner. Some people might think this impolite. It RADIATES
information to the scanner. This is the part I *really* don't like.

3. As currently implemented, the Netbios name -- if one is found --
actually *HIDES* information I *do* want: the DNS information. Oh
of course I can get that if I want to take the trouble to do it, but
then in this case I could also turn off address resolution completely
and resolve IP addresses myself one by one -- what a pain.

I'm sure there's a scripted solution to this problem -- turn off
address resolution and filter the log through a little bit of Perl
will do the trick -- but since I've presumably paid decent money for
the log viewer, I sure wish it would do the right thing ...

Of course if a cracker has taken down an entire network, you
"radiate" information just by making a DNS qurery too, but this is
far less common than a cracked machine using an ISP where the DNS
servers may be OK. A DNS query goes only as far as the DNS servers,
but a Netbios query goes straight back to the exact machine one is
concerned about: you're talking straight back to the cracker or
zombie or hapless victim -- whoever sent you the scan. If I want to
talk back to a machine scanning me, that should be my decision, it
shouldn't happen by default just because I'm trying to make sense out
of my firewall logs.


I got tipped off to this problem while trying to pay attention to a
particular IP address that has been scanning me on a particular port
I pay careful attention to. I started noticing consistently that
whenever I set a selection filter to look at just this IP address,
within a few seconds I would see *NEW* ICMP entries in my log from
this guy. At first this unnerved me, until I finally realized he was
sending me ICMP messages in response to my Netbios queries to resolve
his IP address. This particular kind of "conversation" with some
unknown party I'm trying to keep at arm's length is profoundly
uncomfortable.

I sure wish Checkpoint would give me a way of turning of **JUST**
Netbios name resolution!!
---
#include <disclaimer.h>
Jim Rosenberg
Ross Mould
E-mail: jrose...@rossint.net

_______________________________________________
Firewalls mailing list
Fire...@lists.gnac.net
http://lists.gnac.net/mailman/listinfo/firewalls

Dan McGinn-Combs

unread,
Jan 9, 2002, 12:20:48 PM1/9/02
to jrose...@rossint.net, fire...@lists.gnac.net
While in general I would agree with you - that the NETBIOS name is useless.
The way to fix this, is of course, to run the firewall and/or management
console on LINUX or SUN rather than on WinNT. :-)

Dan

-----Original Message-----
From: Jim Rosenberg [mailto:jr...@rossint.net]

In my opinion, trying to resolve the Netbios name is a complete
botch, on several counts:

1. It is generally speaking *USELESS* information. (I suppose it
could be quite useful to crackers, but what good does it do *ME* in
defending my system against flying infectious space junk to know that
someone scanning me has named their computer PLUTO or hasn't changed
it from OEMCOMPUTER?)

Achim Dreyer

unread,
Jan 9, 2002, 1:03:26 PM1/9/02
to jrose...@rossint.net, fire...@lists.gnac.net
On Wed, 9 Jan 2002, Jim Rosenberg wrote:

> 1. It looks in its list of Network Objects to see if you've given a
> name to this IP address. If it finds one, it will use this one,
> regardless of other methods of resolving the address.
>
> 2. It queries the IP address in question trying to resolve its
> Netbios name.
>
> 3. It queries DNS to reverse-resolve the IP address.


.. if you have WINS configured or use the the novell client it uses
these methods too.


=> STANDARD Microsoft technics of name resolution
-> be as noisy as possible


name resolution := computer names + user names + services + ...

Regards,
Achim Dreyer

-----------------------------------------------------------------------
A. Dreyer, UNIX System Administrator and Internet Security Consultant

0 new messages