Re: Firewalls and stuff (Was about N2H2)

[crispin () WIREX COM (Crispin Cowan)]

Mark wrote:

> > Bottom line:  firewalls are UTTERLY USELESS at containing people on the
> > inside.  If they wanna get out, they will.
>
> This is probably true.  But they make things more challenging.

Precisely correct:  the firewall blockage makes it difficult, but not secure.

> > The most vigorous example of this is Marcus Ranum's implementation of
> > TCP/IP running on top of DNS requests.
>
> Do you have any pointers to information about this?  It -sounds- like it's
> some form of tunnel, which would requre something on another end to
> support it.  But, I do confess that to be a wild guess :)

I've lost my pointers to it.  Yes, it requires a funny proxy on the outside.

The simplified explaination is like this.  You want to send strings to
someone on the outside.  Say the receiver owns joebob.com (made up).  Now
your insider issues DNS queries for "thesecretnumberis8675309.joebob.com" and
joebob.com's DNS server receives the string.

> > You CANNOT block someone on the inside from communicating data with the
> > outside.  It's fairly difficult just detecting such communication if
> > they don't want you to find it.
>
> Again, probably true.  Maybe not.  For the TCP/IP over DNS, a sudden surge
> in DNS traffic would be suspicious.

Yes.  If the sender wants to be sneaky, they also have to be patient, so that
they don't cause big blips in normal traffic patterns.  However, "normal"
traffic patterns often swing so widely that it's hard to detect anomalies.

> But, we are a really slow, backwoods-type school system.  We do have a few
> kid stars, but on the average, people here don't even know how to use a
> computer, much less accomplish the above.  I am amazed (and ashamed) at
> hearing of wonders happening in other school systems, and other areas of
> the country, and looking at what we have.  For example, there was a post
> on Slashdot (I think) about one high school science fair project that
> demonstrated DNA steganography.  We are barely past the "build a volcano
> and explain it" in high school science fairs.
>
> (Btw, this increases the problem I have in convincing the PHB of the
> importance of security)

IMHO, the important security issue is to keep bad stuff out, not to keep the
kiddles in.  Any kid capable of going around your blockage is fully capable
of accessing that porn site (or whatever) by any means they want, and it
serves no purpose to expend effort trying to stop them.  Better to give the
kid education and support than to try to frustrate them.  Putting up weak
fences just teaches them that cheating the system can work for them.

Crispin

--
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org