Firewall Wizards mailing list archives
RE: GXD vs. SPF
From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 3 Oct 1998 13:02:35 -0400 (EDT)
On Thu, 1 Oct 1998, Hines Dennis wrote:
Maybe it's just me, but I still fail to see the security stance of someone who allows more than about four protocols. Tunneling over SMTP, HTTP, and DNS are pretty difficult to detect as is, but at least most of it's trendable with statistics from common gateways. How the heck do you figure out a tunnel over half a gazillion protocols and still feel a measure of protection? Was I asleep in that part of the sales pitch?Could someone fill me in a bit on the risks of tunneling over SMTP, HTTP, etc. What are the capabilities of this sort of attack? How is it accomplished (in general terms).
For the simplest tunneling, Trojan, or exploit a client to run code that will open a raw socket, take the packets off the wire, encapsulate them in (SMTP, HTTP, DNS, ping...) and send them out. Decapsulte inbound packets and put them on the wire. Now you've got a broad tunnel in and out of the network, you can place the attacking machine on the network virtually, and attack away. Someone a while back (sorry, I forget the direct attribution it was many years ago) did telnet over SMTP this way, using uuencode on the packets. Latency wasn't great, but the MTU was _huge_. Since most sites allow SMTP, and don't track or have a way to automatically shut off specific mail destinations based on volumes, coopt one internal machine any way you choose (new copy of Eudora anyone?), and you've got telnet to an internal host, and access to anything it can reach. Java applets, and the propensity to load any new "cool" application from the Internet seem to make this even easier if the site is one which has a packet filtering firewall that lets anything TCP related out so long as a client starts the conversation (this is the *default* installation for most of those vendors I've seen installing FW-1). RealAudio, Pointcast, and a few others have written their protocols to tunnel over HTTP simply because a number of us won't open more holes in our firewalls, OpenBSD will install via HTTP through a proxy server. There's nothing stopping attackers from using that mechanism to their advantage. This is where I think Marcus' trending an analysis in NFR, and a couple of sniffer vendors have hit the target. Unfortunately, encryption is coming to the networks, and that makes detailed traffic analysis impossible. It's on reason I still don't allow SSL. As always, your paranoia may vary. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- RE: GXD vs. SPF Paul D. Robertson (Oct 01)
- RE: GXD vs. SPF Frederick M Avolio (Oct 01)
- <Possible follow-ups>
- RE: GXD vs. SPF Hines Dennis (Oct 02)
- Re: GXD vs. SPF Joseph S. D. Yao (Oct 05)
- RE: GXD vs. SPF Paul D. Robertson (Oct 05)