Vulnerability Development mailing list archives
Re: N2H2 Web Proxy/Filter appliance
From: crispin () WIREX COM (Crispin Cowan)
Date: Sat, 17 Jun 2000 12:08:39 -0700
Eric Wanner wrote:
Far from useless. Set your routers to do policy based routing, routing all web traffic through the proxy, set squid to accept it and bam! you've got it covered.
But that IS useless. As long as you are letting SOMETHING out, then the insider can modulate it. If they can modulate it, then they can turn it into a covert channel, and talk to some cooperative proxy on the outside. Someone else points out that this kind of blocking does make it inconvenient to tunnel outside. That's true, it does make it inconvenient. But "inconvenient" has nothing to do with security.
The benefit of that is also that you don't have to configure the proxy into the web browsers either. If you don't want to/can't do policy based routing, you have a couple other alternatives: A) Block port 80 and 443 outbound. Make it so they can't get to a web site unless it's through the proxy.
Sure they can. They can tunnel an arbitrary port on their machine out through an arbitrary protocol to an arbitrary proxy on the outside.
B) Use an internal block of addresses. You can't do much from there w/o a translation server of some sort.
Yes, without help from the NAT gateway, you're not getting anywhere. HOWEVER, if you allow them to get ANYTHING out, then they can start modulating it to talk to their own external proxy of choice. This whole area is called "covert channel analysis", and despite years of effort, there is no effective way to block covert channels. Here's a few references: * big fat government doc on formal analysis of covert channels http://www.usgovserver2.8m.com/NCSC-TG-030.html * a much more brief explaination http://www.all.net/books/orange/chap8.html * my lecture notes (in powerpoint; sorry, get vmware :-) http://www.cse.ogi.edu/~crispin/527/covert.ppt which are based on the covert channels chapter in "Fundamentals of Computer Security Technology" by Edward Amoroso http://www.amazon.com/exec/obidos/ASIN/0131089293/qid%3D915000715/104-1716551-5344722 Crispin -- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- N2H2 Web Proxy/Filter appliance Mark (Jun 15)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
- Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 16)
- Re: Firewalls and stuff (Was about N2H2) Mark (Jun 17)
- Re: Firewalls and stuff (Was about N2H2) Crispin Cowan (Jun 17)
- (no subject) Bluefish (Jun 18)
- Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
- Re: N2H2 Web Proxy/Filter appliance Eric Wanner (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Blue Boar (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Bluefish (Jun 18)
- HP LaserJet 4 Series Jet Direct Ryan Yagatich (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Joel Michael (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Steven Duckworth (Jun 19)
- omni backup program Antonomasia (Jun 19)
- Re: HP LaserJet 4 Series Jet Direct Felix von Leitner (Jun 21)
- [Fwd: Exploit code for PalmOS] Blue Boar (Jun 17)