Re: How to best protect IIS server

["H. Morrow Long" <long-morrow () cs yale edu>]

Ryan Russell wrote:
> I don't believe that the PIX will do that, but it's possible to write a
> proxy/SPF/firewall thingy that can do that, at least for realt Telnet
> clients.  Telnet clients more-or-less send escape strings at the beginning
> og the setup, and ocassionally later as well.  You can get your firewall
> thingy to look for those.

Probably not.

Telnet clients don't send escape strings in the beginning of telnet session
-unless your operating system or applications sends your combination telnet
client / "terminal emulator" an "escape" sequence string (e.g. a DEC VT 
'Request Terminal Type ID' escape sequence string).

A telnet client will usually only attempt to do telnet client<->server
negotiations (TELNET DO/DONT WILL/WONT options negotiations) with a telnet
server.  Normally most telnet clients will only attempt telnet 
protocol negotiation when connecting to servers listening on TCP
port 23 (e.g. e.g. what is assumed to be a telnet server).

Otherwise the telnet client app is not identifiable as such, nor easily 
differentiated from a browser, mail client program, etc:

session1(5)% nc -l -p 8001 -vv -o hexdump
listening on [any] 8001 ...
127.0.0.1: inverse host lookup failed: Unknown host : Socket operation on non-socket
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 38583
 sent 0, rcvd 0
session1(6)% cat hexdump
session1(7)%

session2(2)% telnet localhost 8001
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
session2(3)%

- H. Morrow Long
  Yale University Information Security Officer
  Yale Univ. ITS, InfoSec Office

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature