From: John Cheswick <[EMAIL PROTECTED]>
>Our firewall blocks outgoing telnet/ssh. Actually the
>only thing it lets through for regular users is
>proxied HTTP, with username/pwd authentication. What
>I'm wondering is if it would be possible for a user to
>do something like IP-over-IP, putting the telnet
>packets inside HTTP packets to the proxy thinks they
>are legit.
>
>I'm not worried about some wizzo hand-crafting
>packets; what I'm more wondering is if there are
>already tools out there that do this. Pointers
>anyone?
One thing you really have to worry about are all these Java Telnet Applets
springing up all over the place. Good example of one is:
http://edcen.ehhs.cmich.edu/telnet.html
It is hardcoded to telnet only to a specific host, but there are probably
some on the net which are not security-conscious and allow you to specify
exactly where you want to telnet to. Hard thing is deciding if you want to
block Java at the proxy, since a lot of organizations are using Java to
deploy legitimate web-based applications.
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
