Re: Firewall Evasion
From: Ian Gregory (I.H.Gregory@herts.ac.uk)Date: 06/21/02
- Next message: Alun Jones: "Re: subjective Q. - what's the most secure OS?"
- Previous message: Brian Aberle: "Firewall Evasion"
- In reply to: Brian Aberle: "Firewall Evasion"
- Next in thread: /dev/null: "Re: Firewall Evasion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: I.H.Gregory@herts.ac.uk (Ian Gregory) Date: 21 Jun 2002 12:14:55 GMT
Brian Aberle wrote:
>If machine "A" behind a firewall runs software that imitates a browser,
>that request may pass through the firewall just like any HTTP GET.
[verbose description of how to tunnel arbitrary traffic through
an http proxy ommited]
Nice idea, but hardly original.
>Full Description:
>http://www.ub2b.com/FiveLoaves.html
OK, I have had a look. From the above URL:
4. Tunneling TCP data (like SSH or http://www.http-tunnel.com/), but
the tunnel can bounce across ANY number of points, AND gives the user
full control over the entire connection route network and hardware.
Doesn't seem too clear to me. What does "Tunneling TCP data" mean?
SSH establishes an encrypted channel over TCP/IP which can then be
used to tunnel application data. It also has nice port forwarding.
Or if you need to work at a lower level then there is IPSEC.
And since this is unix group forget about the commercial http-tunnel
which runs only on Macroshaft systems. Get the proper httptunnel from
http://www.nocrew.org/software/httptunnel.html
Here is another quote from the FiveLoaves site:
Consider this connection-route:
www.MyCompanysInternetServer.com|MyOfficePCAddress
This time the data enters the tunnel on your machine (at home or
elsewhere) and is encrypted with the secret key of a machine called
MyOfficePCAddress. The data travels to the first machine called
www.MyCompanysInternetServer.com. www.MyCompanysInternetServer.com
couldn't see the data if it wanted to because it's encrypted with a
key that it does not know.
Again, this seems confusing. What do you mean by the "secret key"?
If you are using public key cryptography then you would surely
generate a random session key and encrypt it with the _public_ key
of MyOfficePCAddress on the assumption that only MyOfficePCAddress
has the corresponding _private_ key with which to recover the session
key. But the "secret key"? I am confused. In any case, whatever
crypto system you use, how do you handle key distribution?
I guess this software might be useful for people who have to use
Winblows machines. I am immediately put off by talk of things like
"The ability to control mouse and keyboard from remote". Why would
I be interested in a cheap conjuring trick like that? If I am at a
workstation then the mouse is MINE, and if it is a server, well we
all know that REAL servers don't have mice:-)
-- Ian Gregory Systems and Applications Manager Learning and Information Services University of Hertfordshire
- Next message: Alun Jones: "Re: subjective Q. - what's the most secure OS?"
- Previous message: Brian Aberle: "Firewall Evasion"
- In reply to: Brian Aberle: "Firewall Evasion"
- Next in thread: /dev/null: "Re: Firewall Evasion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
