Penetration Testing mailing list archives
RE: firewall question
From: "Panos Dimitriou" <p.dimitriou () encode-sec com>
Date: Fri, 15 Feb 2002 11:15:23 +0200
For CheckPoint there is a way to configure it to check that the connection complies with a valid protocol, at least for HTTP connections, and not just depending on the destination port. You can use "resources" and specifically URI resources: Type: URI Name: http_outbound_resource Connection Method:Transparent Proxy Exception Track:Log Specification:Wild Cards Match:Schemes:http Methods: * Host:* Path:* Query:* Action HTML Weeding: Response Scanning: CVP: This URI resource can protect your network from reverse shells which are established via netcat (at the TCP level). However, there is no practical way to avoid reverse shells established via something like "http tunnel" or something more elegant that will establish a SSL connection (with HTTP:Connect). This is of course no reason not to apply CheckPoint's URI resource. ________________________ Panos Dimitriou Director, Managed Security Services _________________________ ENCODE S.A. 3, R. Melodou str. 151 25 Marousi Athens, Greece _________________________ E Tel.: +30 (1) 6178410 E Fax.: +30 (1) 6109579 s p.dimitriou () encode-sec com " www.encode-sec.com _________________________ -----Original Message----- From: leon [mailto:leon () inyc com] Sent: Thursday, February 14, 2002 3:44 AM To: pen-test () securityfocus com Subject: firewall question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I posted this to the security basics list but nobody answered the question. I thought maybe the people on this list would know the answer since they are the ones who have to get around firewalls. I have a question regarding stateful inspection firewalls (specifically pix and checkpoint). It seems to me that a lot of people use either nat or pat and that these types of firewalls by default drop unsolicited connection attempts (meaning packets that arrive with the syn bit set). Any packet that leaves the network is put in the state table so that the return packets can come back in. My question is this; if I were to exploit a client-side buffer overflow and I got the system to make a connection to me via netcat with a destination port of 80, would I circumvent a majority of the stateful inspection firewalls? It seems that these firewalls trust that ALL connections originating from the inside are good. Now I know we could block off destination ports of services we don't want to allow access to (say no port 23 traffic leaves the network because we don't allow telnet) but I am wondering if either of these firewalls have a method of filtering based on protocol (for example allow 80 to be a destination port but only http traffic can cross it. No netcat, no aim, no limewire just http. I have seen a ton of networks where I came in and I found people using things like aim even though the firewall specifically only permitted port 80 traffic out (obviously these people switched the port from 5190 to 80). So to reiterate; is there a way to configure pix or checkpoint to judge the connection based on protocol as opposed to arbitrary things like source ip, destination IP or port numbers? Cheers and thanks in advance, Leon PS: Links are appreciated if possible. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPGsWcNqAgf0xoaEuEQIxyQCgkN0VREzUZDZxaD6bvvxhi5J5MeMAnjmH 87LbvB+D88XdlIzKulw6uR4n =6Pir -----END PGP SIGNATURE----- ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- firewall question leon (Feb 14)
- Re: firewall question Rzac` (Feb 14)
- Re: firewall question Michael Starr (Feb 14)
- Re: firewall question John Adams (Feb 14)
- Re: firewall question dr . kaos (Feb 14)
- RE: firewall question Panos Dimitriou (Feb 15)
- <Possible follow-ups>
- Re: firewall question Dario N. Ciccarone (Feb 14)
- RE: firewall question Matt Peterson (Feb 15)
- Re: firewall question dr . kaos (Feb 15)