Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] [fw-1] Instant Messenger bypass FW-1

To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
From: BillO <[email protected]>
Date: Wed, 12 Jun 2002 16:15:47 -0400
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

 > > All stateful firewalls and packet filtering devices will be vulnerable
to
> > this type of behavior because they use information contained in the
network
> > (ip addresses) and transport (tcp/udp/etc) to determine whether or not
> > information should go through the firewall.  Any malicious or "slippery"
> > software will easily bypass a firewall in the outbound direction.
> Only if your policy allows all outbound traffic, which it should not.
> (I do this all the time anyway... just pointing out best practices)
You sure are an ornery commenter Don.  My point here is that if you have any
port open outbound, an application will be able to use that port to get
out -- for
instance 80/tcp.  The firewall will let it out because as far as it is
concerned that
is valid http traffic because it only checks the valid ip addresses and
valid ports,
nothing in the upper layers to verify that this is normal http (80/tcp)
traffic and not
as this person suggested, IM.

> > In  some cases, inbound traffic is subject to this as well.  For
> > instance, one piece of software used IMCP echo replies to communicate
> > with "controlled" machines.
> There is almost no reason to allow internal machines to ping out to the
> Internet in the first place. Block ICMP both ways and this is not a
> problem. Allow echo replies to a single trusted system that you control
> and can use for network testing.
I agree that people **should** not use it, but the truth is that people do.
The
idea here is to make people aware that an application that uses a **valid**
port
as far as your policy is concerned will get through the firewall unless you
use
other measures to block them -- as mentioned by you myself and various
others.

Bill
in answer to the original query.

> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
  - From: Don <[email protected]>

References:
- Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] IPSO Default Gateway Problem
Next by Date: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Previous by thread: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Next by thread: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Index(es):
- Date
- Thread