seems M$ got that partly right then, even on windows <now that they
patched a few parts of the tcp/ip stack and the Os a tad>, for try
telnetting to like 137, 138, or 139 on a windows box and tossing crap at
it.
darkstar:/etc/ppp# telnet s2.dial13.new.nac.net 139
Trying 209.123.99.102...
Connected to s2.dial13.new.nac.net.
Escape character is '^]'.
��Connection closed by foreign host.
Why would this be such a tough thing for a firewall or more specially for
a REAL proxy rather then a mere tunnel?
Thanks,
Ron DuFresne
On Wed, 8 Mar 2000, John Adams wrote:
> On Wed, 8 Mar 2000, Ng, Kenneth (US) wrote:
>
> > You want the truth? I caught one major firewall vendor in a big lie over
> > this one. Their so called proxy was nothing more than a transparent
> > connection, yet when I asked them if I put a telnet daemon on another
>
> Very few firewalls actually check that the protocol travelling over a
> particular port -really is- what the port is supposed to be used for.
>
> Anyhow, I see this as an easily spoofable scenario, and building a
> firewall to do protocol analysis would also have to support resetting the
> connection if the protocol should ever deviate from the established norm.
> It seems like this would be an incredible amount of work for the firewall
> to do on each packet, as it would now have to maintain state for each
> conversation (per protocol).
>
> Consider this, an inside employee sets up an ftp server on port 80 of
> their home machine, and you don't want anyone using ftp because they might
> ftp out your super seekrit widget plans. You say that outbound port 80
> should only be web, but I blast a bunch of packets before my ftp
> connection setup to fool the firewall (even better, I just forget the
> whole FTP thing and perform an HTTP PUT...)
>
> IMHO, It's just too complex and not a real solution to security.
>
> -john
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
