Re: httport 3snf

[m p <sumirati () yahoo de>]

 --- Paul Robertson <proberts () patriot net> schrieb: 
> On Tue, 22 Oct 2002, Robert E. Martin wrote:
> > ----When I was the evil firewall BOFH in a large stupid company, your
> > friends 
> > wouldn't have gotten SSH out of my firewall.
> >             
> >
> > Ok. I believe you. Did you also have web based e-mail accounts and if 
> > you did, how was authentication taking place without 443 open?. There 

...

> Please note that I didn't do port-based firewalling for general user 
> applications, I required an application layer gateway between any user's 
> machine and anything outside my perimeter unless I'd been given say in 
> the design and use of it and approved a different solution.

...

> > and why are the masses so caught up in it??? I think it's the Pied Piper 
> > syndrome. That will be the next issue with the parents. "Why can't billy 
> > use his AOL mail????" I am interested in heareing about the kind of 
> > firewall you used and how it was set up.
>
> Mostly I had internal DNS on a machine I controlled, which talked to an 
> external DNS I controlled which talked to the root servers.  I had a 
> Postfix SMTP server with a wildcard MX that handed the mail that wasn't 
> destined to me off to the downstream MS stuff, and an HTTP proxy server 
> capable of blocking active content, doing outbound FTP, and HTTPS.  From 
> there on out it was just a matter of permissions.  I had a couple of 
> different packet filtering implementations between the proxy and the 
> external routers (one commercial product and IPFilter) and then filtering 
> set up on the external routers.  There was a screening router between the 
> internal network and the proxy server as well.  The only thing tunneled 
> that would get through was HTTP tunneled traffic, which I could either 
> allow or try to block by URL, site, or if I wanted to write code, content 
> inspection.  These days, I'd probably do snort rules, produce a report and 
> go thwap violators (but I generally enjoy the twapping bit.)

As for the tunneling programs: There are only "some" (not over a dozen) popular
out there. They all have characteristica which you can filter for in your ALG
(Application Level Gateway).
(Yes, everybody can write his/her/its own - but most are too laziy for that.)

I'm thinking about general characteristica for tunneling programs (like ratio
of {PUT|PUSH}/GET, URI request-length etc). If anyone has ideas/informations
for that (other than proxy-logs/tcpdumps) I will write them together and put
them on a website. The idea is to write a script which reports from the log the
misbehaviour so that you can block it in future (or "nearly real time" ;)
).Please contact me offlist if you want to help or have information:)

Another thing to try is "Allow only specific browsers and add those browser
strings to your proxyconfiguration." 
That will help you against most programs like AIM or others that can use a
proxy but are not allowed. All it needs is a written policx "Internet access is
only allowed with Browser XY." - the most kiddies don't think that far that
they have to adept the browser string :).

> > I really appreciate all the discussion as I am a 3 year newbee to the 
> > industry. I have learned a lot and there still is a lot to learn. Again, 
> > this discussion started by asking you all how I can stop traffic 
> > generated by software that tunnels out the firewall. The message is 
> > clear, NOT MUCH. I have sniffed packets, blocked ports, stopped services 
> > and almost made a mess out of the ipchains rules in our firewall. There 
> > is no smoke yet, but there is fire to re-think the network security 
> > implimentation here. This is great stuff. Keep going.

First of all:

Do NOT ONLY use a packet filter. There IS a reason for application level
gateways. 

Install a inside screening router (or paket-filter with routing capabilities),
a paket-filter (if you won't do routing on it), an ALG (parallel to it the
outside mail server or on top of the ALG), a paket-filter, a screening router. 
Force anything, that anybody needs, to use the ALG (via a proxy or SOCKS or
plug-gw/port forwarding). 
Configure it *secure* (User A from finance needs an applet on port X to do
banking -> the IP may connect to your ALG at port X and is forwarded to the
bank.)
Do not connect your internal DNS to the outside (only for machines in a DMZ
perhaps or _very_ special admin machines). There is normaly no need for it.
Only the proxy should resolve on the outside. If you have to use BIND 9 (or
another DNS proxy that does the same) because it rebuilds every packet it
receives before it puts the packet back on the wire.

That in *whole* is called *a* firewall. 

Normally you will block anything and allow only:
- your internal mail-server to your external mail-server via SMTP
- your users to the proxy via the proxy port
- special cases (for which there should be a workflow) to the ALG
- your proxy to the internet via FTP and HTTP
- DNS for your proxy to the internet
- your external mail server to every mail server (and vice versa)
- your special cases out

Hope that helps

Marc

__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards