Full Disclosure mailing list archives

Re: YABBT [1] - Re: Zone Alarm

From: Jason <security () brvenik com>
Date: Thu, 05 Jun 2003 21:15:23 -0400

This is a dead thread to me. I am replying to list because it adds alittle value to the already OFF TOPIC discussion.


Ron DuFresne wrote:

        [SNIP]

'A HW firewall can only block at the protocol level for an entire
machine but can not reliably deny access for one program and allow
access for another program when they are using like protocols from the
same machine.'



Still incorrect, as it seems folks are talking about packet filters only
of one type or another.  No one seems to be considering the high end in
the firewall realm, and this might be due to the 'homeuser' tone of the
thread, but, what about firewalls with application proxies?  Of course
these are not very common on a desktop or home machine...

[snip large sig block]

There are many application proxies in use on the host these days, theyare often transparent as well. An easy example might be any modern virusscanner which intercepts a communication stream and emulates theapplication protocol to inspect it for virii.

While I see what you are trying to say you are incorrect. There is no_off system_ firewall, hardware or software, that can differentiate likeprotocols and the representation of those protocols simply by being inline.


Let me illustrate..

$ wget www.yahoo.com
...output

$ nc www.yahoo.com 80
GET / HTTP/1.0
User-Agent: Wget/1.8.2
Host: www.yahoo.com
Accept: */*
Connection: Keep-Alive


...output

Barring a subtle difference in the way wget and nc build the tcpconnection there is no way off system to differentiate the above twoHTTP requests and there is no off system method to identify therequesting application.

Something that might make this mildly on topic for the list would be adiscussion of the next logical statemets about enforcing access to theinternet for specific applications using this method of thinking.


You can do anything that does not require a change on the host system.

Some suggestions:

* configure User-Agent validation
* only allow specific protocols, limited to HTTP for example.
* require user authentcation

Now, with all the products out there the list has, attempt these methodsof restriction and then show us how it can be evaded or otherwiserendered useless by an application other than the intended. If youbelieve it cannot be evaded please show your work and defend your position.


Failing this type of discussion I too SCREAM NAZI

-Jason

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Zone Alarm, (continued)
- - - RE: Zone Alarm Larry W. Cashdollar (Jun 04)
    - RE: Zone Alarm Ron DuFresne (Jun 05)
  - Re: Zone Alarm Jason (Jun 04)
    - AW: Zone Alarm Michael Linke (Jun 04)
    - AW: Zone Alarm Michael Osten (Jun 04)
    - Re: AW: Zone Alarm Jason (Jun 04)
    - Re: AW: Zone Alarm Michael Osten (Jun 04)
    - YABBT [1] - Re: Zone Alarm Jason (Jun 04)
    - Re: YABBT [1] - Re: Zone Alarm Michael Osten (Jun 04)
    - Re: YABBT [1] - Re: Zone Alarm Ron DuFresne (Jun 05)
    - Re: YABBT [1] - Re: Zone Alarm Jason (Jun 05)
    - Re: AW: Zone Alarm morning_wood (Jun 04)
    - Re: AW: Zone Alarm Shawn McMahon (Jun 05)
    - Re: AW: Zone Alarm morning_wood (Jun 05)
    - Re: AW: Zone Alarm Adam Lydick (Jun 06)
    - Re: AW: Zone Alarm Nick FitzGerald (Jun 04)
    - RE: AW: Zone Alarm JT (Jun 04)
    - Re: AW: Zone Alarm Shawn McMahon (Jun 05)
    - Re: AW: Zone Alarm Ron DuFresne (Jun 05)
    - Re: AW: Zone Alarm BlueRaven (Jun 13)
    - Re: AW: Zone Alarm Michael Reilly (Jun 04)

(Thread continues...)