[fi-rg] [Fvga-wg] New document on a protocol specificatin for dynamicopening of firewall ports

Ralph Niederberger r.niederberger at fz-juelich.de
Thu Mar 5 08:04:40 CST 2009 

Dear Gian Luca,

comments inside.

Thanks a lot.

Gian Luca Volpato schrieb:
> Dear All,
>
> I would like to share with you some comments and thoughts about the 
> latest version of our FiTP document.
>
> First some questions about the conceptual design of FiTP:
> - the use of SSH-NONE with HMAC cipher protocol guarantees that 
> messages cannot be modified while transferred from the user-CH to the 
> auth-CH. However only user-CH and auth-CH can verify the integrity of 
> the messages; firewalls along the communication path have no 
> possibility to verify message integrity.
> Is there any risk that an attacker modifies an FiTP command or an FiTP 
> reply with the purpose of deceiving an FiTP-aware firewall and making 
> it to enforce an unauthorized access rule?
> If this is the case we should consider the possibility to sign message 
> digests with the private key of the sender instead of with the secret 
> key shared between user-CH and auth-CH.
>
in principle you are right with your argumentations. But the idea is 
that the receiver of the packets acknowleges every request,
sending again the request back to the client which asked for access. So 
if there is an intruder who modifies the packet, the receiver,
i.e. authentication server; will respond with a negative reply.

Let's assume the path is symmetric:
If the intruder hacks the packet before the firewall, let us assume he 
changes the port range to be opened, the destination server
would send a negative acknowlegement to the source, since HMAC shows 
that the packet was changed. Since the intruder is
on the path outside before the firewall, he cannot change the 
acknowledgement packet. So the firewall recognizes the negative
response.
If the intruder hacks the packet on the path after the packet traverses 
the firewall, i.e. inside the local destination domain, the
firewall knows about the original port range request. So independent of 
the intruder only the right port range could be
opened. But this would not work, since again the destination server 
sends a negative response, since he detects the hacked packet.

So if the firewall only opens the ports after the packets have been 
acknowledged, there is no insecurity.

Let's assume furtheron the hacker also modifies the NACK packet sent by 
the destination server before it traverses the firewall on
its way back to the client. So the firewall would see a request and a 
positive acknowledgement.
But again the client would see that the potential ACK packet was hacked.
Then he would close the control connection and this would imply closing 
all data connection requests already received by the firewall.
> - what happens when the auth-PI crashes?
> During the restart operation, are all granted rules invalidated and 
> accordingly are commands to FiTP-unaware firewalls sent?
> This should happen because an FiTP-unaware firewall cannot understand 
> that a major failure (closing) on the control connection implies 
> deleting all access grants.
>
An FiTP aware firewall closes all data sessions when the control 
connection dies.
For an FiTP unaware firewall you are right, that we need to have some 
checkpoints where we can setup again.
So at least we need a mechanism for invalidating open ports. So this 
could be a table where all ports opened by FiTP are
stored. Then those entries could be checked and discarded. Thanks for 
the hint, we have to think about a good solution.
>
> And now some minor remarks on the document:
> - page 6, definition of access-rule: why in the case of IP or IPSEC 
> protocol are sport1,sport2,dport1,dport2 ignored?
IP doesn't have ports. Ports are on layer 4 of the ISO/OSI protocol.
> - page 8, the definition of user-CH is missing
I will include this. Thanks
> - page 11, in the definition of the command syntax 
> "[4_digit_message_code],GAcR,Auth,[textstring"]: what is the meaning 
> of parameter "Auth" ?
This was a fragment coming from cut and paste. Already delete in 
Document Version 2.7.1
>
> - page 15, in the structure of FiTP reply codes: why do we define 
> reply codes 1xyz and 2xyz and then we never explain nor use them in 
> the document?
That is a historical reason. I first thought about implemnting all 
things itself. So we would have needed a "Key Exchange Phase" and a
"Authentication and AUthorization Phase". Later on there came up the 
idea of using SSH NONE Cipher doing this already.
So in principle, you are right, this coul be deleted. I would like to 
wait for the discussions going on, if we should go the way using SSH
protocol. If this will be the way we will delete those entries. 
Otherwise we will need those phases and codes.
> - page 20, in the command "9000,PathCntl,Encrypted(9000,PathCntl)": 
> what is the meaning of the parameter "Encrypted(9000,PathCntl)" ?
>
>
Same answer as above. First I thought to do the HMAC itself, sending any 
command also encrypted for crosschecking by receiver.
We do not need it anymore. This is a fragment from  the old version, 
which has been deleted in Doc vers. 2.7.1 already. Sorry for that,
but I assume there are a lot of other typos left.
> I wish you a very useful FVGA session at OGF25.
> Kind regards
> /Gian Luca
>
Thanks a lot for reading and checking the document. We will let you know 
about any new thnigs coming up tomorrow.

Best regards

Ralph
> ------------------------------------------------------------------------
>
> _______________________________________________
> fvga-wg mailing list
> fvga-wg at ogf.org
> http://www.ogf.org/mailman/listinfo/fvga-wg
>   

-- 

***************************************************
 Ralph Niederberger
 Juelich Supercomputing Centre
 Institute for Advanced Simulation

 Phone:  +49 2461 61-4772
 Fax:    +49 2461 61-6656
 E-Mail: r.niederberger at fz-juelich.de
 WWW:    http://www.fz-juelich.de/jsc/

 JSC is the coordinator of the
 John von Neumann Institute for Computing
 and member of the
 Gauss Centre for Supercomputing
***************************************************

 Forschungszentrum Jülich GmbH
 52425 Jülich

 Sitz der Gesellschaft: Jülich
 Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
 Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
 Dr. Sebastian M. Schmidt 

***************************************************




-- 

***************************************************
 Ralph Niederberger
 Juelich Supercomputing Centre
 Institute for Advanced Simulation

 Phone:  +49 2461 61-4772
 Fax:    +49 2461 61-6656
 E-Mail: r.niederberger at fz-juelich.de
 WWW:    http://www.fz-juelich.de/jsc/

 JSC is the coordinator of the
 John von Neumann Institute for Computing
 and member of the
 Gauss Centre for Supercomputing
***************************************************

 Forschungszentrum Jülich GmbH
 52425 Jülich

 Sitz der Gesellschaft: Jülich
 Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
 Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
 Dr. Sebastian M. Schmidt 

***************************************************

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Nachrichtenteil als Anhang
Url: http://www.ogf.org/pipermail/fi-rg/attachments/20090305/7f5cbc65/attachment-0001.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5143 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/fi-rg/attachments/20090305/7f5cbc65/attachment-0001.bin

More information about the fi-rg mailing list