Re: Defeating Firewalls: Sneaking Into Office Computers From Home

From: Leythos (void_at_nowhere.lan)
Date: 08/15/05 

Date: Mon, 15 Aug 2005 19:50:46 GMT

In article <09qdnULrbubpTZ3eRVn-tg@giganews.com>, Frank@SPAM2TRASH.com
says...
> > In this paper, I discuss a technique to get into your office computer
> > using ssh tunneling with some cool tricks.
>
> Man! All in all, bickering aside, this has been a very good thread. In it
> you will find a lot of good info, some technical, some philosophical, some
> efficiency oriented, but lots of good info. This thread is a very good
> example, IMHO, about how there is no such thing as a "one-size-fits-all"
> solution and it underscores the need to do a careful analysis of business
> and customer requirements, before blindly applying a cookie-cutter generic
> solution.
>
> Additionally, by observing the controversy in this thread amongst IT
> professionals, it will give you some idea about why it can be so difficult
> to interface with other networks. Each network "owner" has their own ideas
> about security and network policies. I have spent a good portion of my time
> in IT negotiating a consensus amongst network owner to allow some form of
> connectivity.
>
> Anyway, interesting stuff I think :)

Yep, it's always good to "discuss" the ideals and methods and levels of
security as seen from different angles.

Like you, I've had to "deal" with IT groups that wanted full access to
our network just to access our data in a SQL or Oracle server - and all
they really needed is a view or an export on a nightly basis. I had one
company tell us they needed SA access for their application to run
properly (and it was just a reporting tool)! I've also seen vendors that
are partners that can't setup their appliances and other firewalls to
work with anything except their own vendors solution - like a business
partner that needs access via port xyz to IP a.b.c.d in your network,
but, they want an open connection instead of a VPN with IP/Port to
IP/Port restrictions.

What we find most times is that it's not a technology barrier, it's a
willingness (really it's experience and understanding) of the external
IT source to do more than the minimum needed.

He're a good example of what I consider standard security measures:

1) User at office wants to work from home, want's to be able to access
things as though they were at the office.

2) User has their own unmanaged PC at home, and is considered
compromised by us until proven otherwise.

3) User is behind a NAT device - thank god.

We would give them a cheap PC, setup in our shop, with our security
measures, and basically locked down so that they can only logon to a
desktop with a PPTP Connection icon and a Remote Desktop Icon.

When the user gets on this computer they boot up, not auto VPN
connection, they click the PPTP Icon, enter a user/password that is NOT
part of the Windows network and start the login process.

The firewall appliance acts as a PPTP termination point and each user is
setup by the admin with a different user/password than the users domain
account (windows). Each user has a specific rule that only allows Remote
Desktop 3389 from their PPTP session to their specific workstation (or
to the terminal server if the company has one).

If they authenticate with the firewall properly they double click the RD
icon and are presented with a user/password prompt again - this one for
the domain and it lets them into their Workstation at their desk (or the
TS in their department).

The RD is setup to not map COM/LPT ports and does not permit file
sharing - the only port that is mapped through is 3389, so they can't
map a connection to anything else.

All sessions are terminated by the firewall after 4 hours or after 20
minutes of inactivity.

We use to do this with VNC and Remote Administrator, but have given in
to RD. We never allow RD access in/out without going through the VPN. If
they want email, they do it through OWA or through RD and the Outlook on
their workstation.

This is a normal method for small and larger companies, even a small
company can afford a cheap firewall that permits PPTP endpoint mapping
to it. Some cheap firewalls also have their own IPSec clients. We don't
use NAT boxes for businesses.
  

-- 
spam999free@rrohio.com
remove 999 in order to email me

Relevant Pages

  • Re: Still cant connect to RWW or OWA remotely
    ... No, I don't have a 3rd party firewall, and it's a pretty plain vanilla WinXP ... Connected to the network like the other workstations, ... I could go to any workstation and connect to them just fine. ... match the broadband connection, the two NIC firewall, the remote ...
    (microsoft.public.windows.server.sbs)
  • Re: Workgroup is not accessible.
    ... The only network connection with the ... firewall set was the dial-up connection, ... Even when it accesses the workgroup, ...
    (microsoft.public.windowsxp.network_web)
  • RE: Serious Security Issue in Windows XP SP2s Firewall
    ... file and printer sharing is available for network login from any network (I ... Internet Connection Sharing of the PC has to be disabled." ... Serious Security Issue in Windows XP SP2's Firewall ...
    (Focus-Microsoft)
  • RE: Lost Internet Connectivity
    ... use network diagnostic tools, i.e. ipconfig, ping, etc. ... Firewall, McAfee Personal Firewall, VS, two-PC network, Motorola modem, ... PCI 10/100 Ethernet Connection. ... Windows Firewall/ICS Service not running, ...
    (microsoft.public.windowsxp.network_web)
  • Re: 32-bit TCP/IP Connection
    ... try the uninstall on MCAfee yet. ... Regarding my Network conncections though - first off, ... When I right-click on AOL only the AOL connection setup screen pops-up. ... have the Microsoft XP Firewall turned on, I do use SpyBot S & D, AdAware SE ...
    (microsoft.public.windowsxp.help_and_support)