Firewall Wizards mailing list archives
Re: dirty packet tricks?
From: "Charles Swiger" <chuck () codefab com>
Date: Thu, 11 Jul 2002 14:01:05 -0400
Ryan Russell wrote: [ ... ]
Of course, if you've got a real router, why not just have it route the traffic through the proxy, like every other firewall out there? Unless I'm misunderstanding the scenario...
I think you've done a nice analysis of the level-3 aspects of the situation. This type of thing seems useful for a couple of situations. This "hijacking proxy", or maybe "stealth routing proxy" sounds like a pretty good way of moving traffic around the real ("official"?) Internet gateway to a private host instead. Say if you have three Internet routable machines in a DMZ or hosting facility: router.foo.com x.y.z.1 VLAN 1 www.foo.com x.y.z.2 VLAN 1, VLAN 2 db-honeytrap.foo.com x.y.z.3 VLAN 1 ...and use proxy-arping or IPFW+divert ports or whatever, so that traffic from www.foo.com really goes to: db-real.local 10.0.0.2 VLAN 2 proxied-www.local 10.0.0.3 VLAN 2 ...a private backend network using VLANs so outside traffic couldn't go to the DB directly. It's reasonable to believe that automated scanners and such would quite happily go for the db-honeytrap, which would be useful for IDS purposes. Okay. That's fine, although one could obtain the same effect by putting multiple interfaces on www.foo.com and you'd balance and partition your traffic more sensibly, anyway. But this might be useful in the event that you can't change or take down www for artistic, religious, or political reasons. Less pleasantly, the same technique could be used by attackers. If you've got a multihomed host which gets compromised and used to silently proxy internal traffic around the official Internet connection whatever security lies there, that could be very hard to notice. But I'm not sure that differs from a tool that simply proxies internal traffic over a secret channel hidden in some common protocol. [ Like http or some such, with the compromised data being lightly encrypted and masqueraded under fake .jpg or .mp3 headers to avoid IDS attention. ] I can think of some other reasons along these lines. Perhaps you want to do email, and you proxy the email from an external archive machine which keeps a complete record of all Internet email to and from the site (as some people may soon be required to do). But you proxy the SMTP traffic also through a spam filter, or a virus scanner, or whatever en route to your internal network's mail reader box. I've had users lose today's mailbox and not be able to fix it for them beyond restoring the nightly backup and showing them today's sendmail logs. This could help there, although solving a problem that happens only once or twice a year is perhaps not worth the effort or the administrative workload of maintaining "magic" networking tricks. -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- dirty packet tricks? Marcus J. Ranum (Jul 10)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 10)
- Re: dirty packet tricks? Barney Wolff (Jul 10)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Stephen D. B. Wolthusen (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- Re: dirty packet tricks? Nate Campi (Jul 11)
- Re: dirty packet tricks? Charles Swiger (Jul 11)
- Re: dirty packet tricks? Frank Knobbe (Jul 12)
- Re: dirty packet tricks? Marcus J. Ranum (Jul 11)
- Re: dirty packet tricks? John McDermott (Jul 11)
- Re: dirty packet tricks? Ryan Russell (Jul 11)
- <Possible follow-ups>
- Re: dirty packet tricks? Dana Nowell (Jul 12)