RE: GXD vs. SPF

["Paul D. Robertson" <proberts () clark net>]

On Thu, 1 Oct 1998, Hines Dennis wrote:

> > Maybe it's just me, but I still fail to see the security stance of 
> > someone who allows more than about four protocols.  Tunneling over SMTP, 
> > HTTP, and DNS are pretty difficult to detect as is, but at least most of 
> > it's trendable with statistics from common gateways.  How the heck do you 
> > figure out a tunnel over half a gazillion protocols and still feel a 
> > measure of protection?  Was I asleep in that part of the sales pitch?
>
> Could someone fill me in a bit on the risks of tunneling over SMTP, HTTP,
> etc.  What are the capabilities of this sort of attack?  How is it
> accomplished (in general terms).

For the simplest tunneling,

Trojan, or exploit a client to run code that will open a raw socket, take 
the packets off the wire, encapsulate them in (SMTP, HTTP, DNS, ping...) 
and send them out.  Decapsulte inbound packets and put them on the wire.  
Now you've got a broad tunnel in and out of the network, you can place 
the attacking machine on the network virtually, and attack away.

Someone a while back (sorry, I forget the direct attribution it was many 
years ago) did telnet over SMTP this way, using uuencode on the packets.  
Latency wasn't great, but the MTU was _huge_.  Since most sites allow 
SMTP, and don't track or have a way to automatically shut off specific 
mail destinations based on volumes, coopt one internal machine any way 
you choose (new copy of Eudora anyone?), and you've got telnet to an 
internal host, and access to anything it can reach.

Java applets, and the propensity to load any new "cool" application from 
the Internet seem to make this even easier if the site is one which has a 
packet filtering firewall that lets anything TCP related out so long as a 
client starts the conversation (this is the *default* installation for 
most of those vendors I've seen installing FW-1).

RealAudio, Pointcast, and a few others have written their protocols to 
tunnel over HTTP simply because a number of us won't open more holes in 
our firewalls, OpenBSD will install via HTTP through a proxy server.  
There's nothing stopping attackers from using that mechanism to their 
advantage.  This is where I think Marcus' trending an analysis in NFR, 
and a couple of sniffer vendors have hit the target.  Unfortunately, 
encryption is coming to the networks, and that makes detailed traffic 
analysis impossible.  It's on reason I still don't allow SSL.

As always, your paranoia may vary.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280