Any working TCP/IP connection can transmit covert data by encoding the
data in the sequence numbers.
Let's not forget to block/allow new protocols such as described in RFC 1149
On 5/7/07, Open Phugu [EMAIL PROTECTED] wrote:
On 5/7/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
From: Sebastian
From: Sebastian Benoit [EMAIL PROTECTED]
If you want deny users the possiblility to smuggle data outside of
their
workplace (or whatever) then don't connect them to the internet.
No, no, no. You must go one step beyond this if you want to
prevent employees from smuggling data. To do this
On 4/25/07, Allen Theobald [EMAIL PROTECTED] wrote:
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing
On 5/7/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
From: Sebastian Benoit [EMAIL PROTECTED]
If you want deny users the possiblility to smuggle data outside of
their
workplace (or whatever) then don't connect them to the internet.
No, no, no. You must go one step beyond this if you want to
* Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
that is the
On 5/4/07, Henning Brauer [EMAIL PROTECTED] wrote:
* Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal
* Open Phugu [EMAIL PROTECTED] [2007-05-04 15:36]:
On 5/4/07, Henning Brauer [EMAIL PROTECTED] wrote:
* Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used
On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote:
if you deny icmp, you shall burn in hell
You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data:
http://www.cs.uit.no/~daniels/PingTunnel/
This looks like it's pretty trivially defeated; bzero()'ing the data
On Friday 04 May 2007 15:42:58 Henning Brauer wrote:
so can underwear, so let us require everybody to work naked
Actually, depending who you work with, this can be a good thing...
--
Antoine
On Fri, May 04, 2007 at 07:26:32AM -0600, Open Phugu wrote:
On 5/4/07, Henning Brauer [EMAIL PROTECTED] wrote:
* Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can
Bret Lambert([EMAIL PROTECTED]) on 2007.05.04 09:47:43 +:
This looks like it's pretty trivially defeated; bzero()'ing the data
portion of the ICMP echo request/response removes the piggybacked data
channel.
Then I'll encode my data with the morse over ping protocol.
If a user can send any
On Fri, 2007-05-04 at 09:47 -0400, Bret Lambert wrote:
On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote:
if you deny icmp, you shall burn in hell
You may burn in hell, but ICMP can be used to infiltrate and exfiltrate
data:
http://www.cs.uit.no/~daniels/PingTunnel/
This looks like
On Wed, 25 Apr 2007 16:29:17 -0600
Tobias Weingartner [EMAIL PROTECTED] wrote:
On Wednesday, April 25, Timo Schoeler wrote:
actually, me thinks the same about allowing/denying ICMP as you,
tobias. however, we recently had a CCIE/NSA certified blahblah guy
in our company, tuning our,
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing dansguardian
by changing their browser to point to
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
As for your question, only allow internal devices to do what you want
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
Bull. Not allowing ICMP is just as bad.
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner [EMAIL PROTECTED] wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
On Apr 25, 2007, at 4:19 PM, Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping
On Wed, 25 Apr 2007 23:56:50 +0200
Joachim Schipper [EMAIL PROTECTED] wrote:
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner [EMAIL PROTECTED] wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM,
On 25/04/07, Joachim Schipper [EMAIL PROTECTED] wrote:
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner [EMAIL PROTECTED] wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
I did NOT suggest blocking ALL ICMP, just echo-request and echo-
replies from internal hosts to untrusted IPs. Trojans have used
echo-request and echo-reply as a method of covert communication. If
you had read the original post you'd see that $icmp_types was defined
to be echoreq.
Although it's not well known TCP seriously depends on ICMP packets of
type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
Some documentation:
http://en.wikipedia.org/wiki/Pmtud
On 2007/04/26 01:01, chefren wrote:
Although it's not well known TCP seriously depends on ICMP packets of
type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
for PF, 'keep state' on
On 2007/04/26 08:02, Mathieu Sauve-Frankel wrote:
I did NOT suggest blocking ALL ICMP, just echo-request and echo-
replies from internal hosts to untrusted IPs. Trojans have used
echo-request and echo-reply as a method of covert communication. If
you had read the original post
On Wednesday, April 25, Chad M Stewart wrote:
I did NOT suggest blocking ALL ICMP, just echo-request and echo-
replies from internal hosts to untrusted IPs.
And how is this not violating RFCs?
Trojans have used echo-request and echo-reply as a method of covert
communication.
I've you've
Tobias Weingartner wrote:
Telling people to worry about the door to the barn after the horse
has left is not FUD? It's not misdirection? Tell them to solve the
root of their problems instead.
Don't poo-poo his effort to mitigate information leaks.
Did you realize that even LAMP can be used
On Wednesday 25 April 2007 17:48, Jason Dixon wrote:
Tobias Weingartner wrote:
Telling people to worry about the door to the barn after the horse
has left is not FUD? It's not misdirection? Tell them to solve
the root of their problems instead.
Don't poo-poo his effort to mitigate
Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
Bull. Not allowing
28 matches
Mail list logo