[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
> > All stateful firewalls and packet filtering devices will be vulnerable to > > this type of behavior because they use information contained in the network > > (ip addresses) and transport (tcp/udp/etc) to determine whether or not > > information should go through the firewall. Any malicious or "slippery" > > software will easily bypass a firewall in the outbound direction. > Only if your policy allows all outbound traffic, which it should not. > (I do this all the time anyway... just pointing out best practices) You sure are an ornery commenter Don. My point here is that if you have any port open outbound, an application will be able to use that port to get out -- for instance 80/tcp. The firewall will let it out because as far as it is concerned that is valid http traffic because it only checks the valid ip addresses and valid ports, nothing in the upper layers to verify that this is normal http (80/tcp) traffic and not as this person suggested, IM. > > In some cases, inbound traffic is subject to this as well. For > > instance, one piece of software used IMCP echo replies to communicate > > with "controlled" machines. > There is almost no reason to allow internal machines to ping out to the > Internet in the first place. Block ICMP both ways and this is not a > problem. Allow echo replies to a single trusted system that you control > and can use for network testing. I agree that people **should** not use it, but the truth is that people do. The idea here is to make people aware that an application that uses a **valid** port as far as your policy is concerned will get through the firewall unless you use other measures to block them -- as mentioned by you myself and various others. Bill in answer to the original query. > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|