Firewall Wizards mailing list archives

Re: Ok, so now we have a firewall, we're safe, right?

From: Vinicius Moreira Mello <fake-anti-spam-addr () inf ufrgs br>
Date: Mon, 30 May 2005 23:11:57 -0300

Paul D. Robertson wrote:

http://www.theinquirer.net/?article=23575

(should lead to the next URL w/o registration in the more link at the
bottom:)
http://www.smh.com.au/news/Breaking/18-in-Israel-accused-of-hightech-spying/2005/05/30/1117305525972.html?oneclick=true

If ever there were a wakeup call for people to start analyzing their
firewall logs, this is it-  nobody at any of the companies involved figured
this out due to firewall logs, an author figured it out because their
unpublished book was leaking.


This is something I've been thinking for a while. There's an increasing
evidence that spyware are dropping trojans sometimes with rootkits to do
some advanced data harvesting. Even if you have a highly restrictive
security policy that permits only outbound http traffic through a proxy
it's still very difficult to prevent data leacking (for example via HTTP
POSTS).

Even if you collect your firewall and IDS logs and build an early
warning system to track internal machines behavior, it's hard to note,
for example, one machine with an IRCbot connecting to an IRC server
through port 443/TCP or 8080/TCP what's common within SDBot or Mytob
worm variants.

It's easy to spot trends when bots do mass scans to ports. But how do
you track stealth trojans? The best approach I known and that many in
this list defend is the "old school model", everybody privately
addressed and proxied. This model has a great value but still today IMHO
is not sufficient to prevent data leaking or tunneling protocols over HTTP.

So, my question is: how can we in our best thoughts, reduce the impact
data leaking or backdoors through client vulnerabilites? (I know this
question is rather vague and goal/business/topology dependent, but I
would like to read your opinions).

Best regards,
vmm.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Ok, so now we have a firewall, we're safe, right?, (continued)
- - - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Roel Jonkman (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
    - RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
    - RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Carson Gaspar (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Vinicius Moreira Mello (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)