>Our firewall blocks outgoing telnet/ssh. Actually the
>only thing it lets through for regular users is
>proxied HTTP, with username/pwd authentication. What
>I'm wondering is if it would be possible for a user to
>do something like IP-over-IP, putting the telnet
>packets inside HTTP packets to the proxy thinks they
>are legit.
It's possible to tunnel any protocol over any other one, as
long as timing isn't important. How easy this is going to be
in your environment probably depnds on how carefully
you audit your logs. (if you've got a proxy that can require
authentication to get out, chances are good it can log
full URLs as well.)
For example, take a Windows NT web server somewhere on
the outside. Copy cmd.exe to the cgi-bin directory, or
equivalent and enable it to be executed. Go to your
web browser, and open the following url:
http://www.example.com/cgi-bin/cmd.exe?dir
No matter how strict your proxy is, that will always be
legal HTTP.
Blocking that sort of thing is an IDS problem, not really a firewall
problem.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
