Vulnerability Development mailing list archives

Re: N2H2 Web Proxy/Filter appliance

From: crispin () WIREX COM (Crispin Cowan)
Date: Sat, 17 Jun 2000 12:08:39 -0700


Eric Wanner wrote:

Far from useless.  Set your routers to do policy based routing, routing
all web traffic through the proxy, set squid to accept it and bam! you've
got it covered.


But that IS useless.  As long as you are letting SOMETHING out, then the insider
can modulate it.  If they can modulate it, then they can turn it into a covert
channel, and talk to some cooperative proxy on the outside.

Someone else points out that this kind of blocking does make it inconvenient to
tunnel outside.  That's true, it does make it inconvenient.  But "inconvenient"
has nothing to do with security.

The benefit of that is also that you don't have to
configure the proxy into the web browsers either.  If you don't want
to/can't do policy based routing, you have a couple other alternatives:

A) Block port 80 and 443 outbound.  Make it so they can't get to a web
site unless it's through the proxy.


Sure they can.  They can tunnel an arbitrary port on their machine out through an
arbitrary protocol to an arbitrary proxy on the outside.

B) Use an internal block of addresses.  You can't do much from there w/o a
translation server of some sort.


Yes, without help from the NAT gateway, you're not getting anywhere.  HOWEVER, if
you allow them to get ANYTHING out, then they can start modulating it to talk to
their own external proxy of choice.

This whole area is called "covert channel analysis", and despite years of effort,
there is no effective way to block covert channels.  Here's a few references:

   * big fat government doc on formal analysis of covert channels
     http://www.usgovserver2.8m.com/NCSC-TG-030.html
   * a much more brief explaination  http://www.all.net/books/orange/chap8.html
   * my lecture notes (in powerpoint; sorry, get vmware :-)
     http://www.cse.ogi.edu/~crispin/527/covert.ppt which are based on the covert
     channels chapter in "Fundamentals of Computer Security Technology" by Edward
     Amoroso
     http://www.amazon.com/exec/obidos/ASIN/0131089293/qid%3D915000715/104-1716551-5344722

Crispin

--
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Current thread:

N2H2 Web Proxy/Filter appliance Mark (Jun 15)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
  - Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 16)
    - Re: Firewalls and stuff (Was about N2H2) Mark (Jun 17)
    - Re: Firewalls and stuff (Was about N2H2) Crispin Cowan (Jun 17)
    - (no subject) Bluefish (Jun 18)
  - Re: N2H2 Web Proxy/Filter appliance Eric Wanner (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Blue Boar (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Bluefish (Jun 18)
    - HP LaserJet 4 Series Jet Direct Ryan Yagatich (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct Blue Boar (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct (and others) Joel Michael (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct (and others) Blue Boar (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct Steven Duckworth (Jun 19)
    - omni backup program Antonomasia (Jun 19)
    - Re: HP LaserJet 4 Series Jet Direct Felix von Leitner (Jun 21)
    - [Fwd: Exploit code for PalmOS] Blue Boar (Jun 17)

(Thread continues...)