From: Jose Maria Lopez (jkerouac@bgsec.com)
Date: Fri Sep 03 2004 - 13:20:10 EDT
El vie, 03 de 09 de 2004 a las 02:04, Gary E. Miller escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yo Jose!
>
> On Thu, 2 Sep 2004, Jose Maria Lopez wrote:
>
> > But if you allow in and out from specific ports you have at least a
> > second level of security over what the original poster said it had.
> > Only allowing out from some IPs it's possible, but I find it very
> > difficult to make rules for the outer IPs, having in mind the original
> > poster wants to have internet connection from the LAN for that
> > machines.
>
> If you leave just ONE port open, then an insider can use it to tunnel
> out. That one port is often DNS/udp. You have to work very, very,
> hard to filter out IP over DNS/udp. You could force the use of
> an internal DNS server, but if it allows any recursive lookups out
> of the firewall then game over.
>
> This /. describes how to do it:
> http://slashdot.org/articles/00/09/10/2230242.shtml
>
> The insider does not even need an open port. Only TCP/IP (proto 6) and
> TCP/UDP (proto 17) use "ports". The insider can just use a "portless"
> protocol like TCP/ICMP (proto 1), TCP/ESP (proto 50), TCP/AH (proto 51),
> etc.
>
> There are several IPSEC stacks available as freeware that use TCP/ESP
> and TCP/AH.
>
> RGDS
> GARY
> - ---------------------------------------------------------------------------
> Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
> gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFBN7T48KZibdeR3qURAm4gAJ9GXYH6eeVS55+ai8SLOT93raeBKACg2BGf
> QUxTOF4ZbKCUlGm33D2r0+w=
> =HiIK
> -----END PGP SIGNATURE-----
I agree completely. And finding a firewall piercing through ICMP packets
for example can be quite tricky, and I have some tools that can proxy
traffic through a firewall with ICMP packets. The other protocols are
less dangerous, I think. If you don't need them you just block them at
the firewall, if you need them you just permit the traffic between the
VPN devices and not route all the traffic through them.
I think TREX can do some kind of application firewall for DNS, HTTP and
all the common services one wants to open at the firewall. But it's so
hard to compile it that I couldn't try it yet, but it could solve the
problem.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:03 EDT