Leon - Firewalls that have built-in proxies will solve the problem that you are talking about. Nowadays a wide range of proxies can be run - not just the traditionals. The proxies essentials take over the connection, typically transparently to both sides of the connection.
- Lee > -----Original Message----- > From: leon [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 06, 2002 20:20 > To: [EMAIL PROTECTED] > Subject: basic stateful inspection question > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everyone, > > I have a question regarding stateful inspection firewalls > (specifically pix and checkpoint). > > It seems to me that a lot of people use either nat or pat and that > these types of firewalls > by default drop unsolicited connection attempts (meaning packets that > arrive with the syn bit set). > Any packet that leaves the network is put in the state table so that > the return packets can come back in. > My question is this; if I were to exploit a client-side buffer > overflow and I got the system to make a > connection to me via netcat with a destination port of 80, would I > circumvent a majority of the stateful > inspection firewalls? It seems that these firewalls trust that ALL > connections originating from the > inside are good. Now I know we could block off destination ports of > services we don't want to allow > access to (say no port 23 traffic leaves the network because we don't > allow telnet) but I am wondering > if either of these firewalls have a method of filtering based on > protocol (for example allow 80 to be > a destination port but only http traffic can cross it. No netcat, no > aim, no limewire just http. > > I have seen a ton of networks where I came in and I found people > using things like aim even though > the firewall specifically only permitted port 80 traffic out > (obviously these people switched the port > from 5190 to 80). > > So to reiterate; is there a way to configure pix or checkpoint to > judge the connection based on protocol > as opposed to arbitrary things like source ip, destination IP or port > numbers? > > Cheers and thanks in advance, > > PS: Links are appreciated but flames are not :) > > Leon > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPGHkRtqAgf0xoaEuEQJgUgCgiGaVcoapw7+T4+QYqADv/jJYIycAni9v > W0GcE8qAvdNF6ZNanoDjjyn3 > =u/Nk > -----END PGP SIGNATURE----- >
