From: Gary E. Miller (gem@rellim.com)
Date: Thu Sep 02 2004 - 20:04:05 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yo Jose!
On Thu, 2 Sep 2004, Jose Maria Lopez wrote:
> But if you allow in and out from specific ports you have at least a
> second level of security over what the original poster said it had.
> Only allowing out from some IPs it's possible, but I find it very
> difficult to make rules for the outer IPs, having in mind the original
> poster wants to have internet connection from the LAN for that
> machines.
If you leave just ONE port open, then an insider can use it to tunnel
out. That one port is often DNS/udp. You have to work very, very,
hard to filter out IP over DNS/udp. You could force the use of
an internal DNS server, but if it allows any recursive lookups out
of the firewall then game over.
This /. describes how to do it:
http://slashdot.org/articles/00/09/10/2230242.shtml
The insider does not even need an open port. Only TCP/IP (proto 6) and
TCP/UDP (proto 17) use "ports". The insider can just use a "portless"
protocol like TCP/ICMP (proto 1), TCP/ESP (proto 50), TCP/AH (proto 51),
etc.
There are several IPSEC stacks available as freeware that use TCP/ESP
and TCP/AH.
RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBN7T48KZibdeR3qURAm4gAJ9GXYH6eeVS55+ai8SLOT93raeBKACg2BGf
QUxTOF4ZbKCUlGm33D2r0+w=
=HiIK
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:03 EDT