Vulnerability Development mailing list archives
Re: Firewalls and stuff (Was about N2H2)
From: mark () NS1 LOONEY COM (Mark)
Date: Sat Jun 17 13:52:53 2000
Hmmm ... are you allowing the workstations to SSH out? If so, then the kiddles can port forward a local port and surf on a remote, public proxy. If not, then how do you expect to do secure remote access?
Our current situation is that these are W*ndows machines running on a Novell network. The only access to the outside are through a handful of Unix servers. This makes off-site administration of the NetWare network impossible at the moment the way things are set up. Solutions are being researched. The first step is getting the NetWare network to a point where it can be managed remotely within the organization. That happens this summer. SSH is the method being used for remote administration of the Unix servers. However, at the moment, I'm the only one using it, and the only one performing remote administration. This will change as I continue to educate my co-workers.
Bottom line: firewalls are UTTERLY USELESS at containing people on the inside. If they wanna get out, they will.
This is probably true. But they make things more challenging.
The most vigorous example of this is Marcus Ranum's implementation of TCP/IP running on top of DNS requests.
Do you have any pointers to information about this? It -sounds- like it's some form of tunnel, which would requre something on another end to support it. But, I do confess that to be a wild guess :)
You CANNOT block someone on the inside from communicating data with the outside. It's fairly difficult just detecting such communication if they don't want you to find it.
Again, probably true. Maybe not. For the TCP/IP over DNS, a sudden surge in DNS traffic would be suspicious. But, we are a really slow, backwoods-type school system. We do have a few kid stars, but on the average, people here don't even know how to use a computer, much less accomplish the above. I am amazed (and ashamed) at hearing of wonders happening in other school systems, and other areas of the country, and looking at what we have. For example, there was a post on Slashdot (I think) about one high school science fair project that demonstrated DNA steganography. We are barely past the "build a volcano and explain it" in high school science fairs. (Btw, this increases the problem I have in convincing the PHB of the importance of security) That does not mean we don't have to worry about it. It just means we might have a fighting chance in the race. mark
Current thread:
- N2H2 Web Proxy/Filter appliance Mark (Jun 15)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
- Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 16)
- Re: Firewalls and stuff (Was about N2H2) Mark (Jun 17)
- Re: Firewalls and stuff (Was about N2H2) Crispin Cowan (Jun 17)
- (no subject) Bluefish (Jun 18)
- Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
- Re: N2H2 Web Proxy/Filter appliance Eric Wanner (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Blue Boar (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Bluefish (Jun 18)
- HP LaserJet 4 Series Jet Direct Ryan Yagatich (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Joel Michael (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Blue Boar (Jun 18)