Security Basics mailing list archives
Re: what should I do when....
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 11 Jul 2008 19:37:26 +0200
On 2008-07-11 Adriel Desautels wrote:
A firewall is software running on hardware that is designed to enforce security policies that have little effect on how a hacker breaks into your network. So long as the hacker works within those policies his or her traffic will be passed, and they'll get in. A firewall is not a system that *secures* a network, shielding it from access by unauthorized users, but it might want to be and some people might like to think that it does that effectively. Can you show me one that does *secure* a network?
For every security concept you identify threats, break them down into distinct attack scenarios and identify countermeasures for each attack scenario (or decide that you'll live with the risk that the given scenario poses).
During one of our penetration tests I convinced a user to browse to a page hosted on our company website. When they did, their browser was exploited and their computer connected back to me over https. Why did I choose https? I chose https because I knew that the firewall allowed outbound https connections for users. I then used that access to perform distributed metastasis and penetrate other systems. The firewall did not "Secure" the network and "prevent" unauthorized access, we still got in.
There are obviously several ways to deal with this scenario on a firewall-level: a) Disallow https altogether. b) Whitelist sites that are allowed to be accessed via https. c) Man in the middle: Break the https connection into two connections, one from the client to your proxy, the other from your proxy to the server. Then your proxy can inspect/filter the traffic. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: what should I do when...., (continued)
- Re: what should I do when.... Adriel Desautels (Jul 12)
- Re: what should I do when.... Adriel Desautels (Jul 12)
- Message not available
- Re: what should I do when.... Adriel Desautels (Jul 12)
- RE: what should I do when.... Nick Vaernhoej (Jul 11)
- RE: what should I do when.... Sergio Castro (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Message not available
- Fwd: what should I do when.... Eric Starace (Jul 11)
- Re: Fwd: what should I do when.... Adriel Desautels (Jul 12)
- Re: what should I do when.... ॐ aditya mukadam ॐ (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 15)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 15)
- Re: what should I do when.... Dan Anderson (Jul 15)
- RE: what should I do when.... Scott Race (Jul 15)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- RE: what should I do when.... Rivest, Philippe (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Worrell, Brian (Jul 11)