Re: firewall question

From: Dario N. Ciccarone (dciccaro@cisco.com)
Date: 02/14/02 

Date: Thu, 14 Feb 2002 17:12:03 -0300
To: "leon" <leon@inyc.com>, <pen-test@securityfocus.com>
From: "Dario N. Ciccarone" <dciccaro@cisco.com>

>It seems to me that a lot of people use either nat or pat and that
>these types of firewalls by default drop unsolicited connection
>attempts (meaning packets that arrive with the syn bit set). Any
>packet that leaves the network is put in the state table so that the
>return packets can come back in. My question is this; if I were to
>exploit a client-side buffer overflow and I got the system to make a
>connection to me via netcat with a destination port of 80, would I
>circumvent a majority of the stateful inspection firewalls? It seems

depends on configuration. you can block all outgoing traffic, or force the user to authenticate to the firewall before been allowed to go out.

>that these firewalls trust that ALL connections originating from the
>inside are good. Now I know we could block off destination ports of
>services we don't want to allow access to (say no port 23 traffic
>leaves the network because we don't allow telnet) but I am wondering
>if either of these firewalls have a method of filtering based on
>protocol (for example allow 80 to be a destination port but only http
>traffic can cross it. No netcat, no aim, no limewire just http.

that would be a proxy type firewall. PIX and Checkpoint are both stateful packet filters. a proxy firewall can inspect the traffic, and upon realizing it's not HTTP (it's not conformant to spec) it could drop it.

of course, nothing prevents you of using something like httptunnel . . .

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: firewall question
    ... connection complies with a valid protocol, ... and not just depending on the destination port. ... I have a question regarding stateful inspection firewalls ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Unable to connect to Internet.
    ... following program and see if it helps with the connection. ... utility program and there are instructions at the site on how to use it. ... and the ones at the forums. ... Some firewalls can prevent connection. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: XP home to XP Pro weird issues.
    ... firewalls and uninstall non-Microsoft firewalls and see if your ping problem ... and/or a slow connection causing problems. ... The second machine is a laptop that is ... browser issue. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Thoughts on MS Microsoft AntiSpyware beta
    ... Should I use both Internet Connection Firewall and a software firewall ... from a different company on my Windows XP computer? ... Running multiple software firewalls is unnecessary for typical home ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Internet Access trapped by Norton etal
    ... I know what your saying about the Norton dialog. ... At least some security software can be configured to allow specific ... If they do not configure their firewalls correctly, ... software firewalls must be configured to allow a specific connection to a specific site, ...
    (microsoft.public.vc.mfc)