On Tue, 16 Nov 1999, Per Gustav Ousdal wrote:
> Date: Tue, 16 Nov 1999 11:04:21 +0100
> From: Per Gustav Ousdal <[EMAIL PROTECTED]>
> To: "Paul D. Robertson" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: SV: Query on FW Attacks -reply
>
> > > If the netowkr architecture was done correctly and the underlying
> > > operating system was hardened to only allow that particular application's
> > > protocol to be the only service enabled then it would be very hard to
> > > actually get in.. Marcus's assumption is that every firewall admin or
> > > firewall admin wannabe misconfigures their firewall on a general basis.
> >
> > Your assumptions don't hold true for ActiveX-enabled Web browsers on
> > Windows9x, lusers executing greeting cards, Excel/Word macro viruses,
> > e-mail viruses... Marcus' statement holds true for that set of things as
> > well as externally originated traffic.
>
> (Sorry Paul, I like your posting a lot (and I am really more "on your side"),
> so no offense, but) "mht" *might* have covered these cases by saying
> "if the network architecture was done correctly ..". Probably far
> fetched, but this term *could* include ActiveX & Java disabeled on all
> hosts, and a "mail filter*" that would put ANY attachment in /dev/null.
Which still doesn't cover HTTP downloads, especially of self-updating
HTTP-based things like say a new release of IE. There are simply
becomming too many vectors to get data "in."
> Call me crazy, but: If security is absolutely vital to an organisation
> their policy should be like this (and they should use alternative ways
> to distribute files). (See my post to mht for what I think *Marcus*
> really meant)
My "problem" with this is that you can't have 401K plans over the Web,
business-to-business ordering, and the like without HTTP access, so even
if you do all of the above, you're still talking about limiting HTTP and
HTTPS traffic significantly. I no longer think that's a realistic goal
in most commercial environments. Believe me, I'm probably one of the
most vocal and as far as anyone in a company the size of mine, practicing
opponents of limiting such things.
> * This gave me an idea (maybe it exists already, but): How about a mail
> filter that would require all attachments to be (PGP?? (probably not,
> but maybe a custom thing that would use a key with the same level of
> security of the PGP secret key)) encrypted with a "public" key that was
> given only to those with a valid need to send attachments to the
> organisation (thru a secure channel of'coz)? Any other attachments would
> go to dev/null. Sure a lot of hassle, but if that level of security is
> needed, this might be a solution? Anyone?
Well, in my case, there are large numbers of people within the
organization who must be able to receive such data from members of the
general public, so it wouldn't work. Perhaps for your business it would.
> > > So I would take his statement with a grain of salt and state that if a
> > > security network architecture is setup securely and applications that
> > > possible are vulnerable are placed strategically things will not get
> > > broken into as fast as he claims..
> >
> > The point that the firewall's protection mechanism is based on what's
> > blocked, not what's passed is still valid. Incomming traffic doesn't
> > have to be externally initiated, it can be DNS, HTTP, SMTP...
>
> Good points.
>
> Any thoughts on which attacks/threats are possible in this situation (i.e.
> traffic internally initiated)? I can think of threats like spoofing, and
> redirection (to sites that claim to be what they are not). But are there
> any attacks that can be accomplished this way? To compromise either the
> FW or hosts on the inside?
Sure, spoof or redirect *.microsoft.com when Exploder 6.0 comes out and
replace it with a trojan. That's about the simplist.
> BTW: Hey, how come everyone else in this tread is @clark.net?? :)
We all chose the best regional ISP before the borg ship that is Verio
moved in. Or it's all a conspiricy ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
