Firewall Wizards mailing list archives
Re: dns outbound
From: chuck <fwwiz () yerkes com>
Date: Tue, 18 May 1999 09:55:15 -0700
Like tunneling ssh through the web proxy which opens up a big-ass tunnel between your system and someone elses. The answers out there seem to be 'protocol aware' proxies or filters. Checkpoint claims that they look 'into' various protocols to make sure it's http or dns. Of course it *IS* http or dns, the issue is looking into the stream more and figuring out that the payload is ICQ or similiar. Oh yeah, don't slow down the proxy while doing so. Quoting Marcus J. Ranum (mjr () clark net):
Ryan Russell wrote:Another claimed that one of his uses was able to surf the web without having to authenticate on the way out, via the DNS rule.If you have access to an external system, someplace, you can use DNS packets to contain IP packets, or you can set up an application-level proxy that tunnels over DNS packets. Kind of a lot of work, but a technically knowledgeable person behind a firewall that he/she didn't like could do it easily enough. This is a basic problem with firewalls: so much stuff can be pushed back and forth through them that they're very easy to tunnel through. What scares me is the (obvious) implication of a "firewall-aware" tunnelling trojan horse/virus that opens outgoing connections via HTTP or other protocols that firewalls typically allow. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- dns outbound Deepak Vaidya (May 16)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
- RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- <Possible follow-ups>
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)
- Re: dns outbound David Gillett (May 19)
- Re: dns outbound wyllys (May 21)
- Re: dns outbound Bennett Todd (May 19)