This is the system now running at grc.com. It works.
I started from scratch and wrote a complete, custom, TCP/IP protocol suite, including an integrated firewall (super-hardened TCP) and a lightweight web server. In the diagram above, the only components I did not write from scratch (in assembly language) are the two thick-outline boxes. The dark-gray box contains our web server enhancements which have been evolving steadily for several years.
I am particularly proud of the TCP protocol handler. I solved the problem of vulnerability to local resource depletion from denial of service (DoS) attack flooding by designing a "stateless connection opening" technology named "GENESIS". Unlike all traditional (and DoS vulnerable) TCP/IP stacks, GENESIS is able to accept and complete inbound connections without needing to keep any "state" information. Thus there are no resources to exhaust when gazillions of inbound connections are being spoofed and never completed, or completed but never used. A detailed explanation of the DoS problem and my GENESIS solution is available here.
This is our NanoProbe Technology.
It's cool. It's running. It works.
What can we do with our NanoProbe Technology?
Currently undergoing development, conceptually confirmed and proven, the NanoProbe Technology will demonstrate the following capabilities:
| While you wait, real-time, operation.
Like our existing ShieldsUP! system, the NanoProbe Security Analyzer will use a web browser interface to immediately deliver its security vulnerability report.
We expect the analysis will be so comprehensive and to produce so much detail that we'll offer both "summary" and "detailed" display formats. If it turns out to be feasible, the detailed display may be able to summarize every NanoProbe packet sent and received as well as detailed NanoProbe statistics.
|
|
| Continuous host-presence verification.
Internet security scanners exhibit the serious problem of "scanning blind". They can not, and do not, verify whether the scan target is online, connected, or even receiving their packets. This results in completely invalid reports of "no vulnerability" when, in fact, the target host was simply offline, disconnected, or unavailable to the scan.
Our NanoProbe Technology does not suffer from this serious shortcoming since it continuously and affirmatively induces NanoProbe reflections from the host system (even from hosts behind full stealth firewalls!) during security analysis to continuously re-confirm the host's real-time accessibility.
|
|
| Comprehensive host IP address determination. (with domain resolution)
The use of our NanoProbe Technology allows us to penetrate transparent web proxy servers and NAT (Network Address Translating) routers to directly probe the host machine's complete interconnection environment. This technology allows us to resolve the pre- and post- NAT router IPs, and the pre- and post- transparent web proxy IPs.
For example: The typical @Home cable modem user, using a Linksys IP-multiplexing NAT router, has three IP addresses associated with his connection. For this user the NanoProbe Technology would reveal his machine's TRUE local private-network IP address, his current cable modem and NAT router public IP address, and his transparent web proxying IP address.
|
|
| Host stealth technology detection, penetration, and appraisal.
Our NanoProbe packets are able to (benignly) penetrate a user's stealth firewall to verify the presence of the system hidden behind. Since our NanoProbe packets are able to bypass stealthing, we are able to "grade" the level and quality of the user's stealthing technology.
|
|
| True firewall, versus simple packet filter, discrimination.
The term "Firewall" is becoming so popular that everyone wants to be offering one. But the truth is, significant differences exist between a true firewall and much simpler "packet filters." For example, does the product in question "proxy" half open TCP connections to protect the host machine(s) from common Denial of Service attacks, or are qualifying SYN packets simply allowed to impact the user's unprotected protocol stack?
Our NanoProbe Technology will answer those questions by deliberately exercising any "firewalls" to determine exactly what protections it does, and does not, affirmatively provide to the machine(s) it is protecting.
|
|
| Special "Half-Open" TCP connection "SYN" probing.
Our connection profiling NanoProbe packets establish and reset "Half-Open" TCP connections with the probe target. This is a far more economical and much cleaner means for testing connection-accepting host ports than the traditional TCP "Full-Open" and "Full-Close". It consumes less than half the network bandwidth (3 IP packets as opposed to 7) and leaves much less TCP stack residue in the tested host (no post-connection TIME_WAIT state endpoints). It is also a somewhat stealthful test, since low-technology "evil port monitors" will not sense that their monitored ports have been half-opened. |
|
| Advanced TCP non-connection "ACK" probing.
Simple, non-stateful "packet filtering" firewalls block connections by simply filtering "SYN packets". Since a SYN packet is the first and required stage of TCP connection initiation, blocking SYN's prevents connection establishment. However, unexpected "ACK" packets can be used to slip past simple "SYN" filters to probe the host machine behind non-stateful firewalls. Our NanoProbe packets slip through such firewalls to do this.
|
|
| Fragmented and reordered packet filtering vulnerability assessment.
Single large packets travelling across the Internet must sometimes be broken into multiple smaller packets in order to cross packet-size-limited network links. The IP protocol therefore includes provisions for "fragmenting" and "reassembling" IP packets. These provisions can be deliberately subverted to slip dangerous packets through unsuspecting firewalls one piece at a time.
Our NanoProbe packets test the fragmented packet vulnerability of host firewalls by sending a series of three minimum size packets (of 224-, 224-, and 192- bits each) in place of one packet 352-bits long. Furthermore, these are delivered both in proper sequence and in deliberate reverse sequence to test the firewall's fragment buffering capability. (It must retain the last fragment that arrives first until it receives the first fragment that arrives last!)
|
|
| UDP/ICMP reflection response probing.
Microsoft-based hosts make extensive use of UDP/IP protocol to offer highly insecure network services. The first phase of NanoProbe deployment will use UDP Nanoprobe packets to profile the probable presence of these insecurities.
The second phase will go further to implement protocol-specific client simulations in order to uncover and confirm additional vulnerabilities.
|
|
| Differential source IP analysis.
Advanced stateful firewalls and NAT routers actively manage their host's connections by maintaining internal dynamic connection tables. From the standpoint of remote security analysis, this means that the source IP address of inbound packets can dramatically influence the analysis results and the security of the remote host.
Our NanoProbe Technology employs its "bit-level" hand crafted NanoProbe generation capability to launch IP packets carrying source IP addresses which are both deliberately known, and unknown, to the host's protective firewall and/or NAT router. By comparing the differential results obtained from known and unknown source IP addresses, our Technology creates much more detailed assessments of host security.
|
|
| Personal Router vulnerability assessment.
The proliferation of home networking, coupled with the availability of broadband Internet access, has created an active market for "Personal NAT Routers" (such as my favorite two solutions from Linksys). These NAT (Network Address Translating) routers allow multiple host machines to transparently share a single broadband IP address.
Host machines running behind NAT routers enjoy an inherently higher degree of inbound attack security thanks to the fact that a NAT router shares many of the attributes of a high quality stateful firewall. However, though the hosts may be protected by the NAT router, the router's protocol interpreters themselves are necessarily continuously exposed to the Internet.
Since our NanoProbe Technology allows us to discriminate among and uniquely determine the user's web proxy server IP address (if any), the router's unique public IP address, and the address of the host machine behind the router, we target NanoProbe packets at the user's personal NAT router in order to independently assess its security and protocol vulnerabilities.
|
|
| "Last-Hop" Router vulnerability assessment.
Corporate networks using blocks of public IP space, employ non-NAT "border gateway" routers. These routers often have commonly exploitable vulnerabilities such as open Telnet access and default administration logon. They depend upon security by obscurity, which is no security at all. These router IPs generally remain unknown because they are never the direct source or destination of IP traffic. However their security is of paramount importance.
Our NanoProbe Technology employs a number of tricks to uncover the non-published IP addresses of these corporate gateway routers even in the presence of outbound ICMP (routing error message) suppression.
We are unsure what to do about discoveries of non-host network infrastructure vulnerabilities discovered at such locations, since we have no desire to empower a corporation's employees to exploit their employer's vulnerabilities. We may add technology to automatically send eMail to the administrators of any sub-nets containing such discovered problems.
|
|
| Active protocol testing.
A continuously evolving aspect of our NanoProbe security assessment facility will be the development of "client protocol simulators" to exercise and evaluate the security of "necessarily exposed" protocols. Windows platforms are host to a virtual cornucopia of frighteningly insecure protocols with new ones being silently foisted upon unsuspecting users every day. (Do you really need Windows ME?) Our initial exposure of Windows' NetBIOS protocol vulnerability, which did so much to raise this site's visibility, is just the tip of the iceberg.
Therefore, empowered by the inherent flexibility afforded by our low-level NanoProbe Technology, as this facility evolves we will be adding tests for such things as the use of default or common and insecure logon passwords and other known exploits to which the typical Windows user may be innocently and unwittingly exposed.
|
|
| Packet round trip time (RTT) profiling.
Our NanoProbe's ability to penetrate stealth firewalls allows us to affirmatively profile the total round trip time (RTT) of host-reflected data. This information will be displayed to the user in the form of an RTT distribution graph during, and at the completion of, the analysis.
|
|
| Absolutely spoof proof.
Several minor (but annoying) exploits of the first ShieldsUP! system have been developed to cause a "third-party probing" of an arbitrary IP. While these exploits have been clever in their design, the simplistic nature of the current ShieldsUP! port probe technology renders such exploits more interesting than useful or dangerous.
The NanoProbe Technology, which operates by creating and maintaining an active connection to the probe target throughout the testing, renders this new system absolutely spoof proof through the use of the RSVP Agent system.
|
|