Re: Proof that firewalls can be circumvented

From: William Stacey [MVP] (staceyw@mvps.org)
Date: 07/07/02 

From: "William Stacey [MVP]" <staceyw@mvps.org>
Date: Sat, 6 Jul 2002 22:15:39 -0400

Using this technique, a TCP/UDP proxy client (i.e. fpipe), and a proxy
listener on the outside you could probably do this kind of thing with almost
any TCP/UDP app if the firewall was doing inspection at the application
level. AFAICT, if you wanted to build it (not too hard), you could even do
this in a Proxy server situation where they will not let you do anything but
use port 80 and HTTP. Create a client/server HTTP proxy app that converts
your local client's TCP packets to HTTP messages and sends them out and does
the reverse. The Proxy server will be sending the data on your behalf
thinking it is just normal web traffic. XML and .NET web services make this
sort thing even easier. The way to stop this kind of thing is with
something like private keys on web browsers and/or integrated with IPSEC so
the Proxy server or NAT firewall can verify client app is the *browser and
not some other app tunneling TCP/IP. Interesting :-) 

--
William Stacey, MCSE
Windows Server MVP

"Charles Newman" <charlesnewman1@attbi.com> wrote in message
news:srlV8.410007$352.53049@sccrnsc02...
>
>
>     On one adult chat room I like to go to, there is one woman who gets
> around her
> company firewalls to get on during the day, and her company has no CLUE
she
> is doing this. What she does is set up a proxy sever on her home PC, and
> then
> configures mIRC on her work PC to go through the proxy on her home PC, to
> get to the chat room.  She also sets the listening ports on her proxy on
> ports
> other than 23 or 1080, so her activities are far less likely to be
noticed.
>      Since her home PC is being used to access the chat room, the admins
at
> her
> company are CLUELESS to what she is going. So to all your admins out
there,
> who invest tens of thousands dollars on filtering software and firewalls,
> just be aware
> that one astute user, like this woman, can get around it, and you will
never
> know
> what they are up to.
>
>
>

Relevant Pages

  • Re: How to Prevent Non Proxy Use of Web Browsers
    ... IPs in my firewall rules through use of DNS objects. ... to *force* all web browsing to go through web proxy and forbid direct ... Client or as a Firewall Client. ...
    (microsoft.public.isa)
  • Re: ISA 2006 Features
    ... and that NATing Firewall is the ISA. ... ISA is a Web Proxy, ... the Firewall Client does not mean you are doing anything "direct". ...
    (microsoft.public.isaserver)
  • Re: Proxy capabilities and securenat/firewall client
    ... I currently have a watchguard box as my perimeter firewall. ... public IP) in order to utilise it's reverse web proxy functionality. ... Connection. ... IPSEC firewall client? ...
    (microsoft.public.isaserver)
  • Re: site subnet implication
    ... Client that can be controlled by the ISA Server. ... you may temporarily disable ISA Firewall ... For the GPO applied to site, if your move user to another site, he/she will ... | I want to use only the configuration proxy in IE. ...
    (microsoft.public.windows.group_policy)
  • Re: ISA Server Problems, please help
    ... The All access rule for SBS Internet ... Web Proxy and/or ... > To accommodate the linux SecureNAT clients you should create a new Client ... ISA Server denies the specified Uniform Resource Locator. ...
    (microsoft.public.windows.server.sbs)