Re: what should I do when....

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-07-11 Adriel Desautels wrote:
> A firewall is software running on hardware that is designed to enforce
> security policies that have little effect on how a hacker breaks into
> your network. So long as the hacker works within those policies his or
> her traffic will be passed, and they'll get in.
>
> A firewall is not a system that *secures* a network, shielding it from
> access by unauthorized users, but it might want to be and some people
> might like to think that it does that effectively. Can you show me one
> that does *secure* a network?

For every security concept you identify threats, break them down into
distinct attack scenarios and identify countermeasures for each attack
scenario (or decide that you'll live with the risk that the given
scenario poses).

> During one of our penetration tests I convinced a user to browse to a
> page hosted on our company website. When they did, their browser was
> exploited and their computer connected back to me over https. Why did
> I choose https? I chose https because I knew that the firewall allowed
> outbound https connections for users. I then used that access to
> perform distributed metastasis and penetrate other systems. The
> firewall did not "Secure" the network and "prevent" unauthorized
> access, we still got in.

There are obviously several ways to deal with this scenario on a
firewall-level:

a) Disallow https altogether.
b) Whitelist sites that are allowed to be accessed via https.
c) Man in the middle: Break the https connection into two connections,
   one from the client to your proxy, the other from your proxy to the
   server. Then your proxy can inspect/filter the traffic.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq