Re: dirty packet tricks?

["Charles Swiger" <chuck () codefab com>]

Ryan Russell wrote:
[ ... ]
> Of course, if you've got a real router, why not just have it route the
> traffic through the proxy, like every other firewall out there?
>
> Unless I'm misunderstanding the scenario...

I think you've done a nice analysis of the level-3 aspects of the situation.
This type of thing seems useful for a couple of situations.  This "hijacking
proxy", or maybe "stealth routing proxy" sounds like a pretty good way of moving
traffic around the real ("official"?) Internet gateway to a private host
instead.

Say if you have three Internet routable machines in a DMZ or hosting facility:

router.foo.com        x.y.z.1     VLAN 1
www.foo.com           x.y.z.2     VLAN 1, VLAN 2
db-honeytrap.foo.com  x.y.z.3     VLAN 1

...and use proxy-arping or IPFW+divert ports or whatever, so that traffic from
www.foo.com really goes to:

db-real.local      10.0.0.2       VLAN 2
proxied-www.local  10.0.0.3       VLAN 2

...a private backend network using VLANs so outside traffic couldn't go to the
DB directly.  It's reasonable to believe that automated scanners and such would
quite happily go for the db-honeytrap, which would be useful for IDS purposes.

Okay.  That's fine, although one could obtain the same effect by putting
multiple interfaces on www.foo.com and you'd balance and partition your traffic
more sensibly, anyway.  But this might be useful in the event that you can't
change or take down www for artistic, religious, or political reasons.

Less pleasantly, the same technique could be used by attackers.  If you've got a
multihomed host which gets compromised and used to silently proxy internal
traffic around the official Internet connection whatever security lies there,
that could be very hard to notice.  But I'm not sure that differs from a tool
that simply proxies internal traffic over a secret channel hidden in some common
protocol.

[ Like http or some such, with the compromised data being lightly encrypted and
masqueraded under fake .jpg or .mp3 headers to avoid IDS attention. ]

I can think of some other reasons along these lines.  Perhaps you want to do
email, and you proxy the email from an external archive machine which keeps a
complete record of all Internet email to and from the site (as some people may
soon be required to do).  But you proxy the SMTP traffic also through a spam
filter, or a virus scanner, or whatever en route to your internal network's mail
reader box.

I've had users lose today's mailbox and not be able to fix it for them beyond
restoring the nightly backup and showing them today's sendmail logs.  This could
help there, although solving a problem that happens only once or twice a year is
perhaps not worth the effort or the administrative workload of maintaining
"magic" networking tricks.

-Chuck


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards