[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Trojans & spyware imitating alowed trafic
Ralf, It is possible to solve this with content screening (checking for specific keywords or patterns etc). Another solution is using terminal server and using the terminal server for internet access while turning on any access from the terminal server to the internal network and disabling cut'n paste between the terminal server session and the desktop computer. Another alternate solution is a program which disables cut'n paste between the internet browser and your other programs (which I don't remember the name of). The solution using one or more terminal server is being used, and it's not easy for a user to expose internal data from your company if you in addition are using a terminal server for your company applications and have no access but to the terminal servers from the desktop (you disable local floppy drive, internet mail etc here). Of course a user could still print something and fax / snail mail it. Lars -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, July 12, 2001 12:20 To: Lars Troen Cc: [email protected] Subject: RE: [FW1] Trojans & spyware imitating alowed trafic Lars, have you thought about internal users shoveling out loads of company data via http? If you allow connections to freemail providers, you can upload attachments, cut-and-paste info to mail forms, whatever. If I block all access to freemailers, an internal culprit can still set up his own external server listening and accpeting uploads on port 80 (or any allowed outbound service for that matter) Would you agree that the only solution to this is a thorough content screening package? I think this issue is often overlooked, at least it's not as heavily being discussed as other vulnerabilities.... Cheers Ralf "Lars Troen" <[email protected]> To: "Kim S. Lohse" <[email protected]>, Sent by: "[email protected]" [email protected] <[email protected]> kpoint.com cc: Subject: RE: [FW1] Trojans & spyware imitating alowed trafic 11.07.01 09:18 Kim, I guess you'll find what you need here: http://www.hp-ux.com/security/checkpoint/ar.htm This still can't block a trojan from transfering a file through ftp, but it will prevent the use of other protocols on port 21. In the security server settings you can also prevent upload and/or download if that's what you need. Lars -----Original Message----- From: Kim S. Lohse [mailto:[email protected]] Sent: Tuesday, July 10, 2001 13:13 To: Lars Troen; [email protected] Subject: RE: [FW1] Trojans & spyware imitating alowed trafic Hello. Sorry, it's probably due to lack of knowledge, but I don't see how using security servers will provide me with this function. Do you mean that I should use a proxy when connecting to the Internet and content scan and analyse all outbound traffic? I just can't see this as a realistic way to prevent spy ware or a Trojan on my LAN from connecting to its server via port 21 (or some other "legal" port). If anybody could give me a more thorough explanation or direct me to a site or a document that explains this further it would be much appreciated. Is the alternative to install a personal firewall besides the anti virus software on every workstation and server to scan for illegal programs and traffic? Enjoy the summer. -------------------------------- Kim S. Lohse Partner ITWorx I/S Rolfs Plads 7, 4. th. 2000 Frederiksberg Denmark Phone: +45 3879 1543 Web: http://www.itworx.dk E-mail: [email protected] -------------------------------- -----Original Message----- From: Lars Troen [mailto:[email protected]] Sent: 9. juli 2001 11:08 To: Kim S. Lohse; [email protected] Subject: RE: [FW1] Trojans & spyware imitating alowed trafic Kim, If you use the security servers, they will provide this for you. Also protocols defined in inspect will (atleast to a certain degree) do this. All other protocols that are defined by a tcp/udp port will not do this. ZoneAlarm OTOH is a personal firewall, which works in a totally different way that fw1. As a personal firewall it doesn't care about ports, but rather about applications. It stores each applications identity as a MD5 hash, so if you allow an application to access the internet, Zonealarm will notice if the application change or the executable is replaced. Lars -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Kim S. Lohse Sent: Saturday, July 07, 2001 20:44 To: [email protected] Subject: [FW1] Trojans & spyware imitating alowed trafic Hey all' I was wondering if anybody knows how to prevent programs such as Trojans and spy ware from imitating allowed traffic such as FTP by using the same port? I know that ZoneLabs' free ZoneAlarm prevents this by cryptographically certifying the identity of executable programs. But how do I do some thing similar with FW-1? -------------------------------- Kim S. Lohse Partner ITWorx I/S Rolfs Plads 7, 4. th. 2000 Frederiksberg Denmark Phone: +45 3879 1543 Web: http://www.itworx.dk E-mail: [email protected] -------------------------------- ======================================================================== ==== ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ======================================================================== ==== ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|