Full Disclosure mailing list archives
Re: YABBT [1] - Re: Zone Alarm
From: Jason <security () brvenik com>
Date: Thu, 05 Jun 2003 21:15:23 -0400
This is a dead thread to me. I am replying to list because it adds a little value to the already OFF TOPIC discussion.
Ron DuFresne wrote:
[SNIP]'A HW firewall can only block at the protocol level for an entire machine but can not reliably deny access for one program and allow access for another program when they are using like protocols from the same machine.'Still incorrect, as it seems folks are talking about packet filters only of one type or another. No one seems to be considering the high end in the firewall realm, and this might be due to the 'homeuser' tone of the thread, but, what about firewalls with application proxies? Of course these are not very common on a desktop or home machine...
[snip large sig block]There are many application proxies in use on the host these days, they are often transparent as well. An easy example might be any modern virus scanner which intercepts a communication stream and emulates the application protocol to inspect it for virii.
While I see what you are trying to say you are incorrect. There is no _off system_ firewall, hardware or software, that can differentiate like protocols and the representation of those protocols simply by being inline.
Let me illustrate.. $ wget www.yahoo.com ...output $ nc www.yahoo.com 80 GET / HTTP/1.0 User-Agent: Wget/1.8.2 Host: www.yahoo.com Accept: */* Connection: Keep-Alive ...outputBarring a subtle difference in the way wget and nc build the tcp connection there is no way off system to differentiate the above two HTTP requests and there is no off system method to identify the requesting application.
Something that might make this mildly on topic for the list would be a discussion of the next logical statemets about enforcing access to the internet for specific applications using this method of thinking.
You can do anything that does not require a change on the host system. Some suggestions: * configure User-Agent validation * only allow specific protocols, limited to HTTP for example. * require user authentcationNow, with all the products out there the list has, attempt these methods of restriction and then show us how it can be evaded or otherwise rendered useless by an application other than the intended. If you believe it cannot be evaded please show your work and defend your position.
Failing this type of discussion I too SCREAM NAZI -Jason _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Zone Alarm, (continued)
- RE: Zone Alarm Larry W. Cashdollar (Jun 04)
- RE: Zone Alarm Ron DuFresne (Jun 05)
- Re: Zone Alarm Jason (Jun 04)
- AW: Zone Alarm Michael Linke (Jun 04)
- AW: Zone Alarm Michael Osten (Jun 04)
- Re: AW: Zone Alarm Jason (Jun 04)
- Re: AW: Zone Alarm Michael Osten (Jun 04)
- YABBT [1] - Re: Zone Alarm Jason (Jun 04)
- Re: YABBT [1] - Re: Zone Alarm Michael Osten (Jun 04)
- Re: YABBT [1] - Re: Zone Alarm Ron DuFresne (Jun 05)
- Re: YABBT [1] - Re: Zone Alarm Jason (Jun 05)
- Re: AW: Zone Alarm morning_wood (Jun 04)
- Re: AW: Zone Alarm Shawn McMahon (Jun 05)
- Re: AW: Zone Alarm morning_wood (Jun 05)
- Re: AW: Zone Alarm Adam Lydick (Jun 06)
- Re: AW: Zone Alarm Nick FitzGerald (Jun 04)
- RE: AW: Zone Alarm JT (Jun 04)
- Re: AW: Zone Alarm Shawn McMahon (Jun 05)
- Re: AW: Zone Alarm Ron DuFresne (Jun 05)
- Re: AW: Zone Alarm BlueRaven (Jun 13)
- Re: AW: Zone Alarm Michael Reilly (Jun 04)