[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Title: RE: [FW-1] [fw-1] Instant Messenger bypass FW-1
What I was trying to point out is that one (maybe, I don't know for sure) could define a Service of (Services), (New), (Other) if and only if he/she knows how to use Inspect Script language and fire up a network monitor to capture AIM packets so as to come up with a pattern used every time the AIM tries to connect. Afterwards, putting a rule like (ANY)-(ANY)-(CustomAIMService)-(DROP)-(Long) he/she could finally block the AIM client. But this is not the best practise. The best practise is what I wrote in my previous posts.
Cheers,
Dimitris
-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Friday, June 14, 2002 2:11 AM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
No disagreement here. The point that I was trying to make to Dimitri was
that at a service level I don't think there's a way to tackle this. If you
get into proxying or some of the arguably non-firewall firewall add-ons,
etc., ayup, there are some answers. But I think Dimitri proposed using a
custom service in the security policy, which I don't think is going to work
due to a still-inherent port dependency (unless there's something I'm
missing, and I may well be).
-----Original Message-----
From: Don [mailto:[email protected]]
Sent: Thursday, June 13, 2002 3:05 PM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
> So we're talking about utlizing proxy functionality, not (in reference
> to the post from Dimitri that actually prompted the reply you're
> quoting me
> from) firewall functionality, as I think *he* was describing.
>
> Right?
I wasn't talking about any functionality in particular. Just saying that IM
clients can't do anything if we block their access to the rest of the
Internet.
> > Telnet, DNS, yadda yadda. While your point about denying everything
> > unless "absoluely needed" is well taken, the point is that AIM will
> > piggyback on one of those "absolutely needed" ports and at that
> > point your only option is to blackhole the login servers.
This is the comment I was addressing specifically. If you don't allow
workstations to do DNS lookups, or direct SMTP, then there will be no holes
for clients like AIM to exploit.
-Don