RE: Real Audio Security

[ark () eltex ru]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

Socks (and remote sockets interface as an idea) is a very special kind
of thing. Actually it has little to do with security (IMHO), but used widely
as security tool providing false sense of security that is highly dangerous.

Most people think "i have a firewall that supports socks protocol, so i
just enable it in my applications and everything works!".

Actually it is close to having no firewall at all (except you
can use private IPs). The only difference
is that you have remote sockets calls instead of local ones. All your
protection is application-based and if your application is not written
properly, you're in danger. So if some stupid piece of software binds a 
port to listen incoming connections, it can do. If there is a buffer
overflow in it, you are owned. 

Countermeasures?

Socks5 rfc advises that there should be a "control" connection to the
same server to permit reverse-connections to an allocated port. It is
not strictly followed in most implementations, AFAIR. And it will break
things like irc dcc and some other "client-client" thingies.

Restricting dangerous operations like bind? So say goodbye to all those
multimedia protocols. Socks will offer no more functionality than NAT does. 

Writing crafty rulesets who is allowed and what to do, maybe in conjunction
with IP filtering? Maybe, maybe. . I doubt you like it, but if you have
no choice, then. .

A few notes on "socks" authentication. (Summary: forget it). "ident" should
not be called authentication at all and username/password one is based on
cleartext interaction. Stronger authentication options are available for
kerberized environment only and even if someone is willing to use socks
in kerberized environment they are not supported by most clients.

So - i prefer a good old appliction level firewall that knows every
protocol it allows to pass through. Still willing to use socks, eh?

"Moore, James" <James.Moore () MSFC NASA GOV> said :

> Got any details on the weaknesses or specific exploits re Socks?
>
> Jim Moore
> 256.461.4381
>
> ----------- PGP PUBLIC KEY FINGERPRINT ------------
> 1D9C 3AC3 34E6 EEDF 22B9  7886 7797 6908 048F 049B
> ---------------------------------------------------
>
>
> > -----Original Message-----
> > From:       ark () eltex ru [SMTP:ark () eltex ru]
> > Sent:       Wednesday, January 19, 2000 4:14 AM
> > To: James.Moore () MSFC NASA GOV
> > Cc: phil.cracknell () nomura co uk; firewall-wizards () nfr net
> > Subject:    RE: Real Audio Security
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > nuqneH,
> >
> > You should understand well how does it work and think twice before 
> > running socks on your firewall. You probably will not, after all.
> >
> > "Moore, James" <James.Moore () MSFC NASA GOV> said :
> >
> > > I understand that the socks proxy is finding new applications for this
> > sort
> > > of thing (multimedia) due in part, I think, to the difficulty and risks
> > > associated with passing it through a firewall. I know that NEC
> > > (www.socks.nec.com) peddles some wares in this space - I haven't had
> > time to
> > > find out if there are any alternatives.
> > >
> > > See also http://www.networkworld.com/archive/1999/76451_09-27-1999.html
> > >
> > > Jim Moore
> > > 256.461.4381
> > >
> > > ----------- PGP PUBLIC KEY FINGERPRINT ------------
> > > 1D9C 3AC3 34E6 EEDF 22B9  7886 7797 6908 048F 049B
> > > ---------------------------------------------------
> > >
> > >
> > > > -----Original Message-----
> > > > From:   Cracknell, Phil [SMTP:phil.cracknell () nomura co uk]
> > > > Sent:   Tuesday, January 18, 2000 4:47 AM
> > > > To:     firewall-wizards () nfr net
> > > > Subject:        Real Audio Security
> > > >
> > > >
> > > > Two in one day!
> > > >
> > > > Could someone point me to any research data on the security pitfalls
> > of
> > > > Real
> > > > Audio through a firewall?
> > > >
> > > > Particularly interested in bandwidth issues, use of PN prxy or other.
> > > >
> > > > Thanks
> > > >
> > > > Phil
> > > > -- 


                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOIbdX6H/mIJW9LeBAQEsbwP+KphBr4/dZtnS9tFIZQkq5IxQTwfuz+Cf
z+M9HDBIGnx71m8vDzPFJrGxOv0CBquvgNktrtn/etuuqd4yUOj2PIMOMuqsJsm0
6dGIJbIM5ZIpk6RYaE/FgsVPG3H9dNaQlSk4gePh55+Kzh/Ja6SrlfLw08F8Z3AU
Ad9ipt7oznc=
=ZPyP
-----END PGP SIGNATURE-----