Re: Firewall Stealth Mode?

Leythos wrote:
In article <47gq3kFfgmlbU1@xxxxxxxxxxxxxx>, seppi@xxxxxxxxx says...
Leythos wrote:

Nope, in fact, I had to disable part of the firewall rules just to be
able to download it as the code would not pass through the firewall to
the local machines.
You really don't want to get the point, do you? And obviously your
network seems to be locked down to unusability. You don't even trust
your very own download requests?

You don't understand security much if you think that anyone should be
able to download anything at anytime on any network.

Usually, when your staff is allowed to surf the web, you can't stop them
from doing so.

The point is, what can they do after the download. Running the
executable? For sure not! :-)

Sure, I have rules that allow "Me" to bypass filtering at the gateway,
but I don't normally use it as there is little reason for me to allow
download of many types of files.

So an Executeable tagged als text/plain is no danger?

I also don't allow users on my network
free access to the internt - after all, we are in a security group,
talking about security ideas/ideals, and only a fool would allow
complete, unrestricted, open, access to the internet for everyone on a

But any serious width of allowance is a problem. And a too narrow
configuration is usually just counterproductive.

But you might use the Help Center instead, or an IFilter triggered
WinHTTP download, or many other curious thing (hey Volker, here're some
nice ideads). Just write your own code.
There are so many scripting methods provided just by COM+ that you won't
be able just to adress a little part of them. And I guess you should
know how to find out how your system behaves with COM+ interaction
disabled. Not fine.

And so we're back to where his POC didn't work, didn't even make it to
the labs test stations using standard firewall rules, etc.... So, it
seems that the little trick is just one needed to spread FUD.

If you don't even read what I wrote, why are you answering?

The point is that, as soon as the code is run inside the network, you
have lost. Not letting it get there is one trial, pretty useless, not
letting it run usually the better concept.

You didn't try to debug the POC or modify it to a different situation
that is an issue in your concept. I can easily assert that a lot of such
issues exists, as I already wrote.

In reality, where I work every day, you can't honestly tell me that many
people using NAT or PFW apps actually don't have compromised machines,
that they just think they don't have compromised machines.

So far I helped hundreds of people remotely by evalutating Hijackthis
Logs, seen even more being evaluated and helped building up automated
evulation like seen at >>.
I can clearly tell the difference between a believed-uncompromised and
really uncompromissed machine.

And there you can see interesting stuff: The system running 100
different instances of malware and both Norton Antivirus and Sygate PFW
running fine and telling that everything is OK. :-)

Now, take a
Windows 2000 or XP computer in it's default config, connect it the same
way, use it for a month and tell me you didn't get compromised.

Installing a PFW is no default configuration either, so your comparison
is, yet again, bullshit.