Re: firewall question

["Dario N. Ciccarone" <dciccaro () cisco com>]

> It seems to me that a lot of people use either nat or pat and that
> these types of firewalls by default drop unsolicited connection
> attempts (meaning packets that arrive with the syn bit set). Any
> packet that leaves the network is put in the state table so that the
> return packets can come back in. My question is this; if I were to
> exploit a client-side buffer overflow and I got the system to make a
> connection to me via netcat with a destination port of 80, would I
> circumvent a majority of the stateful inspection firewalls?  It seems

depends on configuration. you can block all outgoing traffic, or force the user to authenticate to the firewall before 
been allowed to go out.

> that these firewalls trust that ALL connections originating from the
> inside are good.  Now I know we could block off destination ports of
> services we don't want to allow access to (say no port 23 traffic
> leaves the network because we don't allow telnet) but I am wondering
> if either of these firewalls have a method of filtering based on
> protocol (for example allow 80 to be a destination port but only http
> traffic can cross it.  No netcat, no aim, no limewire just http.

that would be a proxy type firewall. PIX and Checkpoint are both stateful packet filters. a proxy firewall can inspect 
the traffic, and upon realizing it's not HTTP (it's not conformant to spec) it could drop it.

of course, nothing prevents you of using something like httptunnel . . . 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/