Re: [fw-wiz] Instance Messengers and Firewalls

From: ArkanoiD (ark_at_eltex.net)
Date: 09/03/04

  • Next message: Adam Greene: "[fw-wiz] PIX-515 acceptable CPU usage?" 
    To: Kevin Sheldrake <kev@electriccat.co.uk>
Date: Fri, 3 Sep 2004 19:07:09 +0400

    nuqneH,

    I think the best idea is to disable p2p functionality and to enforce
    protocol checks if possible.

    On Sat, Aug 28, 2004 at 11:17:48AM +0100, Kevin Sheldrake wrote:
    > I believe most IM software can be forced to tunnel connections over HTTP.
    > This has the distinct advantage that port management in the firewall is
    > unnecesary (save for a stateful outbound tcp/80). AMSN, for instance,
    > will connect, chat and receive files over this method. The downside is
    > that HTTP (or more specifically, port 80) is being abused by the IM
    > software. Search the RFC index for TCP/IP over HTTP for more info on why
    > this is bad practice.
    >
    > If you have to allow IM software, putting them over HTTP is probably the
    > best of a bunch of bad things that you could do.
    >
    > Kev
    >
    >
    > > Hi,
    > > MSN, AOL and ICQ Messengers came long way and they traverse
    > > through NAT/NAPT devices smoothly. IMs make use of 'Address Binding'
    > > (Section 3.1, rfc 3022) features of NAT devices to support Peer to
    > > Peer functionality, such as Audio/Video etc..
    > >
    > > But, they are not as friendly for Firewalls. Since the destination
    > > IP and Port of peer are unknown at the time of configuration of
    > > firewall policies, Administartor may be forced to allow all
    > > connections to all ports. This is not good for security perspective.
    > > If the firewalls have Application intelligence of these protocols,
    > > they could only open temporary holes to allow data conenctions of
    > > these IMs. These protocols are proprietary and ever changing and it
    > > is also observed some times, they go for encrypting the data.
    > > So, firewalls can't be trusted to have support for new IMs
    > > immediately.
    > >
    > > These IMs have configuration for SOCKS5, which is meant for
    > > authenticated firewall traversal. But, it seems that these IMs
    > > did not implement UDP related commands of SOCKS5. SOCK5 proxies
    > > can't be used for this purpose. Is my understading right?
    > >
    > > Is there any other way to allow IMs without allowing all
    > > outbound connections?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Adam Greene: "[fw-wiz] PIX-515 acceptable CPU usage?"

    Relevant Pages

    • Re: trying to publish a video conferencing system
      ... ISA is not an "open a port" appliance. ... You define Protocols, add them to Access Rule and then grant permissions to ... actually I would like to try the so-called solution "open firewall". ... I tried to translated the event log entry as good as possible. ...
      (microsoft.public.isa.publishing)
    • Re: Natted IP
      ... >>local IP and can guess other protocols that might be allowed through the ... >>against a target and required for firewall protocol tunneling exploits. ... >>run only with JS enabled with Java applets disabled. ... tunnel through a firewall using blind protocols such as an exposed UDP ...
      (alt.computer.security)
    • Re: [fw-wiz] Instance Messengers and Firewalls
      ... I believe most IM software can be forced to tunnel connections over HTTP. ... This has the distinct advantage that port management in the firewall is ... IMs make use of 'Address Binding' ...
      (Firewall-Wizards)
    • [Full-Disclosure] YABBT [1] - Re: Zone Alarm
      ... >>network blocking when dealing with like protocols. ... > "There is one big benefit, which no hardware router can bring you. ... "A HW firewall can only block a whole machine but can't denied access ...
      (Full-Disclosure)
    • Re: [fw-wiz] Firewall Primitives
      ... >to the sheer number of protocols in common use today? ... checkpoint more easily than through a proxy firewall. ... we did app logic on HTTP as well. ... As William Hugh Murray says "Connectivity trumps security ...
      (Firewall-Wizards)