On Mon, 6 Dec 1999, Marc Renner wrote:
> Subject: How to defeat a proxy firewall
> Lets say you have done everything in this document and have a very secure server and
>network. You have a DMZ and no one can get into
> your network and you are logging every connection made to the outside world. You
>make all your users go through a proxy and the only
> service you allow to go direct to the outside is DNS (port 53).
Then that's not a proxy firewall, that's a packet filter rule.
If you're using a normal proxy firewall then why the hell do the clients need
DNS? The proxy server does all the connecting, it needs to do all the
resolving and the clients shouldn't be able to participate in this
compromise.
If you're using a packet filter, then yes, they'll need DNS, if you're
using a proxy in transparent mode, then yes, they'll need DNS, if you're
using stateful inspection, then yes, they'll need DNS. If you're using a
traditional proxy, then no, the clients don't need DNS.
> One port, that is all it takes to make a firewall worthless.
Opening a port isn't a proxy server concept, it's a packet filter concept.
FWIW, SSL seems to be a much better protocol for tunneling, since it's
impossible to monitor the data.
Also, more to the point, opening any service is all you need to make a
firewall useless. SMTP will work as a tunnel quite well, and allow
initiation from either direction. The protection mechanism is based on
what the firewall blocks, not what it allows. Everything over HTTP is a
dangerous thing, everything over SSL is worse.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
