Vulnerability Development mailing list archives
Re: Firewalls and stuff (Was about N2H2)
From: crispin () WIREX COM (Crispin Cowan)
Date: Sat, 17 Jun 2000 12:16:49 -0700
Mark wrote:
Bottom line: firewalls are UTTERLY USELESS at containing people on the inside. If they wanna get out, they will.This is probably true. But they make things more challenging.
Precisely correct: the firewall blockage makes it difficult, but not secure.
The most vigorous example of this is Marcus Ranum's implementation of TCP/IP running on top of DNS requests.Do you have any pointers to information about this? It -sounds- like it's some form of tunnel, which would requre something on another end to support it. But, I do confess that to be a wild guess :)
I've lost my pointers to it. Yes, it requires a funny proxy on the outside. The simplified explaination is like this. You want to send strings to someone on the outside. Say the receiver owns joebob.com (made up). Now your insider issues DNS queries for "thesecretnumberis8675309.joebob.com" and joebob.com's DNS server receives the string.
You CANNOT block someone on the inside from communicating data with the outside. It's fairly difficult just detecting such communication if they don't want you to find it.Again, probably true. Maybe not. For the TCP/IP over DNS, a sudden surge in DNS traffic would be suspicious.
Yes. If the sender wants to be sneaky, they also have to be patient, so that they don't cause big blips in normal traffic patterns. However, "normal" traffic patterns often swing so widely that it's hard to detect anomalies.
But, we are a really slow, backwoods-type school system. We do have a few kid stars, but on the average, people here don't even know how to use a computer, much less accomplish the above. I am amazed (and ashamed) at hearing of wonders happening in other school systems, and other areas of the country, and looking at what we have. For example, there was a post on Slashdot (I think) about one high school science fair project that demonstrated DNA steganography. We are barely past the "build a volcano and explain it" in high school science fairs. (Btw, this increases the problem I have in convincing the PHB of the importance of security)
IMHO, the important security issue is to keep bad stuff out, not to keep the kiddles in. Any kid capable of going around your blockage is fully capable of accessing that porn site (or whatever) by any means they want, and it serves no purpose to expend effort trying to stop them. Better to give the kid education and support than to try to frustrate them. Putting up weak fences just teaches them that cheating the system can work for them. Crispin -- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- N2H2 Web Proxy/Filter appliance Mark (Jun 15)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
- Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 16)
- Re: Firewalls and stuff (Was about N2H2) Mark (Jun 17)
- Re: Firewalls and stuff (Was about N2H2) Crispin Cowan (Jun 17)
- (no subject) Bluefish (Jun 18)
- Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
- Re: N2H2 Web Proxy/Filter appliance Eric Wanner (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Blue Boar (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Bluefish (Jun 18)
- HP LaserJet 4 Series Jet Direct Ryan Yagatich (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Joel Michael (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Steven Duckworth (Jun 19)