Firewall Wizards mailing list archives
RE: nmap fun
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Thu, 26 Oct 2000 12:22:06 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can't speak for Gauntlet NT, but for Unix. And I would like to see the kind of configuration you have on your Gauntlet firewall, and whether or not transparency is enabled on the external interface. This sounds impossible to perform with a Gauntlet 5.5 in standard configuration (which, BTW, for 5.5 under Solaris will initially configured to respond on X, rpc, as well as several RPC service ports). Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note : Opinions expressed herein are most certainly NOT that of my employer :-)
-----Original Message----- From: Bret Watson [mailto:lists () ticm com] Sent: Thursday, October 26, 2000 10:51 AM To: Chris Calabrese Cc: Franklin DeMotto; firewall-wizards () nfr net Subject: Re: [fw-wiz] nmap fun At 09:28 AM 26/10/00 -0400, you wrote:This is a consequence of the underlying way Guantlet (and other commercial proxy-based firewalls, for that matter) interfaces with the underlying OS and isn't so easy to change. Basically, it inserts code into the underlying OS IP stack that delivers packets destined for the "proxied" systems to the proxies. Since these proxies run as regular user-mode programs, they can't examine their traffic without going through the usual socket() or TLI API's, which means they can't reject traffic without completing the TCP handshakes.Truly this is so - but the interesting bit is that nmap was finding xwindows, SNMP and other 'nice' services that would certainly attract a hacker.. but no proxy on the firewall was set for them.. But you're right - run a netbios probe across a NT Gauntlet and you'll see some interesting info - even if the packet filters are supposed to be set to bar netbios traffic... Yep Marcus was right - by getting transparent proxies we traded a definite level of security and one should always remember that the standard textbook firewall config always includes a screening router (aka packet filter) in front - its there for a reason guys!... Still it makes on truly uncomfortable trying to defend APs against packet filters when they become transparent to nmap.. Cheers, Bret _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBOfiEXvbW52zw8/NBEQIN7ACg6k4K9ppEJvUju86zAcWgEjeGGtgAnj3q 7aGTvyYgPtWfsE5kPNPvBgoE =skfs -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: nmap fun Chris Calabrese (Oct 27)
- Re: nmap fun Bret Watson (Oct 27)
- Re: nmap fun Magosányi Árpád (Oct 28)
- <Possible follow-ups>
- FW: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Frank Knobbe (Oct 27)
- RE: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Bret Watson (Oct 28)
- RE: FW: nmap fun LeGrow, Matt (Oct 28)
- Re: nmap fun Bret Watson (Oct 27)