At 01:55 AM 7/4/03 -0700, Sarad AV wrote:

Wont the following cause a firewall breach-

First we capture inbound packets to a firewall assuming we have a man in the middle(M).

If (M) use block replay on packets he can inject bits and pieces of his own information to an inbound firewall and can go undetected?

M doesn't alter the source and destination ip's and is perfectly acceptable to the firewall.Even a timestamp won't work since a packet is expected at any time.

We can still re-calculate the CRC of Checksum field by the same attack and replace the old crc/checksum after changing various required bit positions.

Do firewall programs use initialisation vectors and a chaning mode to prevent this attack?

You are confusing a firewall with a protocol like IPsec that provides authentication and replay resistance (using crypto). A firewall is just a packet filter --if this field is that, do this. (Steve Bellovin has an online book about them you might enjoy.) Sometimes they're clever and look inside the streams, but this won't resist the attacks you're talking about. Various components of IPsec will. Read up on how it does that. ----- http://www.geocities.com/the_irvine_observer/