Firewall Wizards mailing list archives
RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare)
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Sat, 12 Jan 2002 13:09:07 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Joseph S D Yao [mailto:jsdy () center osis gov] Sent: Thursday, January 10, 2002 2:53 PM On Wed, Jan 09, 2002 at 09:26:38PM -0800, Crispin Cowan wrote: ...Exactly how does a firewall protect against this type of attack?By blocking IM protocols so you won't use these vulnerableapplications :-) We've found that the latest AIM client can go out through some HTTP proxies, then try an array of different outgoing ports until it has hooked up to the login server. We can apparently get to AIM, Yahoo, and others this way (ICQ). We haven't looked at the full range of behaviours.
I don't think blocking AIM is a protocol problem, but rather an APPLICATION problem. If your policy states that IM products are not to be used, you should find ways to prevent users from bringing the application in and installing it. It doesn't matter if AIM talks straight IP, HTTP proxy, AIM proxy, or tunnels through something. It's the application that is not desired, not the protocol. I believe the problem is solved better on the application management level. Sadly, there are not a lot of good products out there. If we could add custom signatures to virus-scanner-like products, the issue would be solved more quickly, at least on resident machines. Laptops, especially from third parties like vendors, still present a problem though which can only be solved on the network level. Instead of barring ports, why not use active filtering techniques? If your IDS detects the use of AIM (or another IM) product, it could block that persons laptop/desktop and prevent him all Internet access (until he becomes policy compliant again). Comments? Regards, Frank PS: I think Chad's questions was 'How does a firewall protect from semantic attacks'... -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBPECJzMzYtOFvgXQfEQK3MgCfZN1bIvXmWNweVjyx2wLJI5Lh5/kAnimp AVxxaaHOjOrS78xvHnCgg5AL =5dkY -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: w00w00 on AIM Filter (Backdoors & SpyWare) Chad Schieken (Jan 09)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Joseph S D Yao (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) M. Dodge Mumford (Jan 11)
- <Possible follow-ups>
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Carl Friedberg (Jan 10)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Frank Knobbe (Jan 12)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)