Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap fun

From: Bret Watson <lists () ticm com>
Date: Thu, 26 Oct 2000 22:51:27 +0800
At 09:28 AM 26/10/00 -0400, you wrote:

This is a consequence of the underlying way Guantlet
(and other commercial proxy-based firewalls, for that matter)
interfaces with the underlying OS and isn't so easy to change.

Basically, it inserts code into the underlying OS IP stack
that delivers packets destined for the "proxied" systems
to the proxies.  Since these proxies run as regular user-mode
programs, they can't examine their traffic without going through the
usual socket() or TLI API's, which means they can't reject traffic
without completing the TCP handshakes.
Truly this is so - but the interesting bit is that nmap was finding xwindows, SNMP and other 'nice' services that would certainly attract a hacker.. but no proxy on the firewall was set for them..
But you're right - run a netbios probe across a NT Gauntlet and you'll see some interesting info - even if the packet filters are supposed to be set to bar netbios traffic...
Yep Marcus was right - by getting transparent proxies we traded a definite level of security and one should always remember that the standard textbook firewall config always includes a screening router (aka packet filter) in front - its there for a reason guys!...
Still it makes on truly uncomfortable trying to defend APs against packet filters when they become transparent to nmap.. 

Cheers,

Bret


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: