Firewall Wizards mailing list archives
Re: nmap fun
From: Bret Watson <lists () ticm com>
Date: Thu, 26 Oct 2000 22:51:27 +0800
At 09:28 AM 26/10/00 -0400, you wrote:
This is a consequence of the underlying way Guantlet (and other commercial proxy-based firewalls, for that matter) interfaces with the underlying OS and isn't so easy to change. Basically, it inserts code into the underlying OS IP stack that delivers packets destined for the "proxied" systems to the proxies. Since these proxies run as regular user-mode programs, they can't examine their traffic without going through the usual socket() or TLI API's, which means they can't reject traffic without completing the TCP handshakes.
Truly this is so - but the interesting bit is that nmap was finding xwindows, SNMP and other 'nice' services that would certainly attract a hacker.. but no proxy on the firewall was set for them..
But you're right - run a netbios probe across a NT Gauntlet and you'll see some interesting info - even if the packet filters are supposed to be set to bar netbios traffic...
Yep Marcus was right - by getting transparent proxies we traded a definite level of security and one should always remember that the standard textbook firewall config always includes a screening router (aka packet filter) in front - its there for a reason guys!...
Still it makes on truly uncomfortable trying to defend APs against packet filters when they become transparent to nmap..
Cheers, Bret _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: nmap fun Chris Calabrese (Oct 27)
- Re: nmap fun Bret Watson (Oct 27)
- Re: nmap fun Magosányi Árpád (Oct 28)
- <Possible follow-ups>
- FW: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Frank Knobbe (Oct 27)
- RE: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Bret Watson (Oct 28)
- RE: FW: nmap fun LeGrow, Matt (Oct 28)
- Re: nmap fun Bret Watson (Oct 27)