[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Title: RE: [FW-1] [fw-1] Instant Messenger bypass FW-1 I' ve been watching this for some days now. Yes I agree that AIM and others pose a great security threat for a Company. But how does it pose a great security threat? I mean that someone (maybe a Firewall Administrator) should put something like (InternalNET)-(Any)-(TCP/UDP 53)-(Accept) inside the rule base. He or she could also put something (DnsGroup) blah-blah-Accept inside the rule base. In both cases, if the client with the AIM installed is included in there you people have a problem. You may also have a problem if AIM can connect using a proxy server over HTTP-HTTPS-FTP etc. But, isn't something like a best practise (or the ONE AND ONLY DEFAULT RULE ANY-ANY-ANY-DROP-LONG) to deny both incoming and outgoing connections when installing a firewall? Shouldn't everyone start by denying EVERYTHING and then ACCEPTING only the ones ABSOLUTELY neccessary? I really don;t know if the AIM client can use a proxy server to initiate a connection and connect to the AIM servers. What I believe is that Companies, that have allready invested $K's on security, could afford install a chat server. Most Companies have M$ Exchange server, so they could install M$ Chat Server (I believe it is free of charge) and so they could communicate with the remote branches all over the world using M$ Chat. This would satisfy their need of cheap-easy-ready-to-rock communications. Needless to say that they can configure both the Server and Firewall accept connections from specific hosts and noone else. Companies that don't have M$ Exchange Server could settle with something else (I don;t know what, maybe AIM Server or something else, I guess that there are a lot of freeware or low-cost programs out there). So what's all the commotion? What about ICMP? Should one allow outgoing and incoming ICMP for everyone in the Corporate Domain? I don't think so. ICMP poses another great threat for Companies. Needless to say that ICMP is an administrative tool that it's use should be allowed ONLY for the Administrators of a Company. Come on people, we are supposed to be Firewall Administrators or something like that. We are not supposed to let everything in and out of our Domains. I cannot also understand some people letting the implied rules on. Many Admnistrators do that? How come? Are you bored to find out what you should do to have the same functionality using explicit rules? Is it so hard to put some rules allowing connections to the Firewall ONLY from specific hosts (Management Server, Logging Administrator, Firewall Engineer etc)? I don't think so. Another thing for AIM is (maybe I am wrong though) that one could start a network monitor and capture data and connection patterns from the AIM client. This way he or she could create a custom service and finally block the AIM traffic itself rather than the loggin servers for AIM. Just some thoughts I have. P.S. I am not a Firewall or Security expert and I don't consider myself of being one. One thing I know is that, no matter how hard or pain the *** it is, you should start by defining (ANY)-(ANY)-(ANY)-(DROP)-(LONG) in the rulebase, rather than (ANY)-(ANY)-(ANY)-(ACCEPT). You can argue if you want to. Cheers Dimitris. -----Original Message-----
> All stateful firewalls and packet filtering devices will be vulnerable to
> In some cases, inbound traffic is subject to this as well. For
-Don =================================================
|