Firewall Wizards mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: Vinicius Moreira Mello <fake-anti-spam-addr () inf ufrgs br>
Date: Mon, 30 May 2005 23:11:57 -0300
Paul D. Robertson wrote:
http://www.theinquirer.net/?article=23575 (should lead to the next URL w/o registration in the more link at the bottom:) http://www.smh.com.au/news/Breaking/18-in-Israel-accused-of-hightech-spying/2005/05/30/1117305525972.html?oneclick=true If ever there were a wakeup call for people to start analyzing their firewall logs, this is it- nobody at any of the companies involved figured this out due to firewall logs, an author figured it out because their unpublished book was leaking.
This is something I've been thinking for a while. There's an increasing evidence that spyware are dropping trojans sometimes with rootkits to do some advanced data harvesting. Even if you have a highly restrictive security policy that permits only outbound http traffic through a proxy it's still very difficult to prevent data leacking (for example via HTTP POSTS). Even if you collect your firewall and IDS logs and build an early warning system to track internal machines behavior, it's hard to note, for example, one machine with an IRCbot connecting to an IRC server through port 443/TCP or 8080/TCP what's common within SDBot or Mytob worm variants. It's easy to spot trends when bots do mass scans to ports. But how do you track stealth trojans? The best approach I known and that many in this list defend is the "old school model", everybody privately addressed and proxied. This model has a great value but still today IMHO is not sufficient to prevent data leaking or tunneling protocols over HTTP. So, my question is: how can we in our best thoughts, reduce the impact data leaking or backdoors through client vulnerabilites? (I know this question is rather vague and goal/business/topology dependent, but I would like to read your opinions). Best regards, vmm. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right?, (continued)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Roel Jonkman (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)