Re: what should I do when....

On 2008-07-11 Adriel Desautels wrote:
A firewall is software running on hardware that is designed to enforce
security policies that have little effect on how a hacker breaks into
your network. So long as the hacker works within those policies his or
her traffic will be passed, and they'll get in.

A firewall is not a system that *secures* a network, shielding it from
access by unauthorized users, but it might want to be and some people
might like to think that it does that effectively. Can you show me one
that does *secure* a network?

For every security concept you identify threats, break them down into
distinct attack scenarios and identify countermeasures for each attack
scenario (or decide that you'll live with the risk that the given
scenario poses).

During one of our penetration tests I convinced a user to browse to a
page hosted on our company website. When they did, their browser was
exploited and their computer connected back to me over https. Why did
I choose https? I chose https because I knew that the firewall allowed
outbound https connections for users. I then used that access to
perform distributed metastasis and penetrate other systems. The
firewall did not "Secure" the network and "prevent" unauthorized
access, we still got in.

There are obviously several ways to deal with this scenario on a
firewall-level:

a) Disallow https altogether.
b) Whitelist sites that are allowed to be accessed via https.
c) Man in the middle: Break the https connection into two connections,
one from the client to your proxy, the other from your proxy to the
server. Then your proxy can inspect/filter the traffic.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Relevant Pages

  • Re: RWW with no https
    ... I thought Kerio was on the same ... I understand it is just another web server on the network with SBS. ... it is just a web server, why not change its HTTPS port instead of changing ...
    (microsoft.public.windows.server.sbs)
  • RE: 504 Proxy timeout only with SSL traffic
    ... the DMZ network is considered External to the ... you have rules in place to allow the internal network to external on HTTPS? ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ...
    (microsoft.public.isa)
  • Re: Cant connect to internet after reboot
    ... How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com ... > info HTTPS: Successfully connected towww.microsoft.com. ... > Wireless Diagnostic ... > info Using home Internet connection ...
    (microsoft.public.windowsxp.network_web)
  • Re: what should I do when....
    ... You didn't answer my initial question which was, can you show me a firewall that does *secure* a network? ... The fact of the matter is that *most* businesses do not restrict outbound SSL traffic and even less of them decrypt and re-encrypt traffic for the sake of outbound monitoring. ... Not to mention not all of our outbound connections are established over port 443, we can use any port, hell we can even use ICMP or UDP. ... exploited and their computer connected back to me over https. ...
    (Security-Basics)
  • Re: Wireless Network Connectivity
    ... does the Yahoo webmail site begin with https or http? ... network (incl. ... train station, and then use say Yahoo to do emails, when I type the ... Barb Bowman wrote: ...
    (microsoft.public.windows.mediacenter)