RE: basic stateful inspection question
From: Hiemstra, Brenno (brenno.hiemstra@ignite.nl)Date: 02/08/02
- Previous message: Rafael 'Dido' Sevilla: "CVS over SSH under a nonstandard port"
- Maybe in reply to: leon: "basic stateful inspection question"
- Next in thread: Burleson, Lee (IA): "RE: basic stateful inspection question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Hiemstra, Brenno" <brenno.hiemstra@ignite.nl> To: "'leon'" <leon@inyc.com>, security-basics@security-focus.com Date: Fri, 8 Feb 2002 09:08:58 +0100
Leon,
What you are talking about is checking the packets if they are REAL http if
they
are going thru port 80 then you will be dissapointed.
What you can do on Checkpoint (dont know if pix can do it) is authenticate
on
http connections and point to somesort of CVP server that checks traffic
going
to the internet from the internal network. This way the CVP server can check
IP packets for all kind of stuff (depends on the CVP server ofcourse) and
may
deny packets that arent http packets
This makes it more difficult to use port 80 through firewalls but if you can
do some
serious firewall piercing you may find an other port that is open and
connect thru
that port to the internet with netcat.
Basically it depends if they use plain and simple stateful inspection or
does some
more application filtering of traffic. A normal Checkpoint or PIX firewall
allowing
port 80 is vulnerable, if they use somekind of proxy or CVP its not so easy
to
connect with netcat to the ourside.
What I also advice to network admins is only allow http traffic outbound by
the
proxy (if you use one what I would advice to always use anyway) only...
dont allow http traffic originating from the clients out !
Regards,
Brenno
> -----Original Message-----
> From: leon [SMTP:leon@inyc.com]
> Sent: donderdag 7 februari 2002 3:20
> To: security-basics@security-focus.com
> Subject: basic stateful inspection question
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> It seems to me that a lot of people use either nat or pat and that
> these types of firewalls
> by default drop unsolicited connection attempts (meaning packets that
> arrive with the syn bit set).
> Any packet that leaves the network is put in the state table so that
> the return packets can come back in.
> My question is this; if I were to exploit a client-side buffer
> overflow and I got the system to make a
> connection to me via netcat with a destination port of 80, would I
> circumvent a majority of the stateful
> inspection firewalls? It seems that these firewalls trust that ALL
> connections originating from the
> inside are good. Now I know we could block off destination ports of
> services we don't want to allow
> access to (say no port 23 traffic leaves the network because we don't
> allow telnet) but I am wondering
> if either of these firewalls have a method of filtering based on
> protocol (for example allow 80 to be
> a destination port but only http traffic can cross it. No netcat, no
> aim, no limewire just http.
>
> I have seen a ton of networks where I came in and I found people
> using things like aim even though
> the firewall specifically only permitted port 80 traffic out
> (obviously these people switched the port
> from 5190 to 80).
>
- Previous message: Rafael 'Dido' Sevilla: "CVS over SSH under a nonstandard port"
- Maybe in reply to: leon: "basic stateful inspection question"
- Next in thread: Burleson, Lee (IA): "RE: basic stateful inspection question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
