firewall question

["leon" <leon () inyc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I posted this to the security basics list but nobody answered the
question.  I thought maybe
the people on this list would know the answer since they are the ones
who have to get around firewalls.  


I have a question regarding stateful inspection firewalls
(specifically pix and checkpoint).

It seems to me that a lot of people use either nat or pat and that
these types of firewalls by default drop unsolicited connection
attempts (meaning packets that arrive with the syn bit set). Any
packet that leaves the network is put in the state table so that the
return packets can come back in. My question is this; if I were to
exploit a client-side buffer overflow and I got the system to make a
connection to me via netcat with a destination port of 80, would I
circumvent a majority of the stateful inspection firewalls?  It seems
that these firewalls trust that ALL connections originating from the
inside are good.  Now I know we could block off destination ports of
services we don't want to allow access to (say no port 23 traffic
leaves the network because we don't allow telnet) but I am wondering
if either of these firewalls have a method of filtering based on
protocol (for example allow 80 to be a destination port but only http
traffic can cross it.  No netcat, no aim, no limewire just http.

I have seen a ton of networks where I came in and I found people
using things like aim even though the firewall specifically only
permitted port 80 traffic out (obviously these people switched the
port from 5190 to 80).

So to reiterate; is there a way to configure pix or checkpoint to
judge the connection based on protocol as opposed to arbitrary things
like source ip, destination IP or port numbers?

Cheers and thanks in advance,

Leon

PS: Links are appreciated if possible.


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPGsWcNqAgf0xoaEuEQIxyQCgkN0VREzUZDZxaD6bvvxhi5J5MeMAnjmH
87LbvB+D88XdlIzKulw6uR4n
=6Pir
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/