How to Deny or Drop Replies in Allowed UDP Sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to Deny or Drop Replies in Allowed UDP Sessions

L0 Member

Hi All,

I'm trying to address a hypothetical scenario where some solutions act only as listeners and do not need reply to the sender.
For example, a SIEM system listening on UDP port 514 does not reply to the log sender.

In such a case, we configure rule as follows:
- Source: Log source
- Destination: SIEM server
- Service: UDP/514

However, I’m concerned about a situation where the SIEM could be vulnerable, and an attacker could exploit the fact that all company devices have established sessions with the SIEM. This could allow the attacker to send malicious data back on the same session.

Is there a way to configure the firewall to allow UDP sessions from the sender to the recipient but deny any replies from the recipient within the same session?

I understand this doesn’t make sense for TCP due to the mandatory 3-way handshake, but my question is specifically about UDP.

Thanks!

3 REPLIES 3

Cyber Elite
Cyber Elite

I'd first look at the likelihood of this happening:

The attacker would need to be able to forge packets that use the same session parameters. Granted, for a sufficiently sophisticated attacker this should not be that difficult.

The next step is that the firewall will perform several checks on the returning packet:

  • App-ID where the firewall verifies if the packet being sent matches the expected behavior for the application. if the payload of the attacker's packet does not match the behavior of the app-id, it will be discarded
  • Content-ID the returning packet will be scanned by the firewall's content engine and malware/vulnerabilities will be blocked

secondly, you could try to create a custom vulnerability that you set 'server2client' and trigger on any payload?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks Dear,

Yes, the scenario is unlikely.

I don't know if I can create a custom vulnerability that matches any reply from specific server IP on UDP sessions.

Is this possible?!

Or can we override the stateful behavior on specific rule? so the reply for the connection will be already denied!?

you can't change statefulness of the session

 

i did think of another 2 'creative' hacks:

1. you can attach that destination ip to it's own interface that has it's very own Virtual Router. on your default router you create a route that points to the other VR, but on the other VR you don't create a route back... that might work

2. if you set up policy based forwarding you can punt packets towards your destination to the right interface, and then set a symmetric that points to a sinkhole IP

 

both are 'hacks' so not entirely sure if they'll work as expected, but it's worth the try if this is important to you

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 694 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!