Firewall Wizards mailing list archives

Re: Ok, so now we have a firewall, we're safe, right?

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 31 May 2005 18:11:31 -0400 (EDT)

On Mon, 30 May 2005, Vinicius Moreira Mello wrote:

This is something I've been thinking for a while. There's an increasing
evidence that spyware are dropping trojans sometimes with rootkits to do
some advanced data harvesting. Even if you have a highly restrictive
security policy that permits only outbound http traffic through a proxy
it's still very difficult to prevent data leacking (for example via HTTP
POSTS).


Ah, but in-band attacks are always difficult to prevent, which is why you
at least have to raise the bar to detecting them.

Even if you collect your firewall and IDS logs and build an early
warning system to track internal machines behavior, it's hard to note,
for example, one machine with an IRCbot connecting to an IRC server
through port 443/TCP or 8080/TCP what's common within SDBot or Mytob
worm variants.


It shouldn't be all that difficult though- the times are likely to be out
of kilter, the data to a single site are likely to be out of kilter, and
the session lengths should be huge.  The existence of the sites popping up
on a list should also have a different infection pattern than URLs passed
in e-mail...

It's easy to spot trends when bots do mass scans to ports. But how do
you track stealth trojans? The best approach I known and that many in
this list defend is the "old school model", everybody privately
addressed and proxied. This model has a great value but still today IMHO
is not sufficient to prevent data leaking or tunneling protocols over HTTP.

So, my question is: how can we in our best thoughts, reduce the impact
data leaking or backdoors through client vulnerabilites? (I know this
question is rather vague and goal/business/topology dependent, but I
would like to read your opinions).


Know your traffic, know the normal sites, normal rates, normal clients,
and look for what's different.  Do random spot checks.  See what the
actual client programs are, all the standard security stuff that's always
worked as well as these things can.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Ok, so now we have a firewall, we're safe, right?, (continued)
- - - Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Roel Jonkman (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
    - RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
    - RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
    - Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Carson Gaspar (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Vinicius Moreira Mello (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
  - Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)