Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: firewall question

From: "Panos Dimitriou" <p.dimitriou () encode-sec com>
Date: Fri, 15 Feb 2002 11:15:23 +0200

For CheckPoint there is a way to configure it to check that the
connection complies with a valid protocol, at least for HTTP
connections, and not just depending on the destination port. You can use
"resources" and specifically URI resources:

Type:   URI
Name:   http_outbound_resource
Connection Method:Transparent
Proxy
Exception Track:Log
Specification:Wild Cards
Match:Schemes:http
        Methods:        *
        Host:*
        Path:*
        Query:*
Action HTML Weeding:    
Response Scanning:      
CVP:    

This URI resource can protect your network from reverse shells which are
established via netcat (at the TCP level). However, there is no
practical way to avoid reverse shells established via something like
"http tunnel" or something more elegant that will establish a SSL
connection (with HTTP:Connect). This is of course no reason not to apply
CheckPoint's URI resource.

________________________
 
Panos Dimitriou
Director, Managed Security Services
_________________________
 
ENCODE S.A.
3, R. Melodou str.
151 25 Marousi 
Athens, Greece
 
_________________________
E Tel.: +30 (1) 6178410
E Fax.: +30 (1) 6109579
s p.dimitriou () encode-sec com
" www.encode-sec.com
_________________________
 
 

-----Original Message-----
From: leon [mailto:leon () inyc com] 
Sent: Thursday, February 14, 2002 3:44 AM
To: pen-test () securityfocus com
Subject: firewall question

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I posted this to the security basics list but nobody answered the
question.  I thought maybe
the people on this list would know the answer since they are the ones
who have to get around firewalls.  


I have a question regarding stateful inspection firewalls
(specifically pix and checkpoint).

It seems to me that a lot of people use either nat or pat and that
these types of firewalls by default drop unsolicited connection
attempts (meaning packets that arrive with the syn bit set). Any
packet that leaves the network is put in the state table so that the
return packets can come back in. My question is this; if I were to
exploit a client-side buffer overflow and I got the system to make a
connection to me via netcat with a destination port of 80, would I
circumvent a majority of the stateful inspection firewalls?  It seems
that these firewalls trust that ALL connections originating from the
inside are good.  Now I know we could block off destination ports of
services we don't want to allow access to (say no port 23 traffic
leaves the network because we don't allow telnet) but I am wondering
if either of these firewalls have a method of filtering based on
protocol (for example allow 80 to be a destination port but only http
traffic can cross it.  No netcat, no aim, no limewire just http.

I have seen a ton of networks where I came in and I found people
using things like aim even though the firewall specifically only
permitted port 80 traffic out (obviously these people switched the
port from 5190 to 80).

So to reiterate; is there a way to configure pix or checkpoint to
judge the connection based on protocol as opposed to arbitrary things
like source ip, destination IP or port numbers?

Cheers and thanks in advance,

Leon

PS: Links are appreciated if possible.


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPGsWcNqAgf0xoaEuEQIxyQCgkN0VREzUZDZxaD6bvvxhi5J5MeMAnjmH
87LbvB+D88XdlIzKulw6uR4n
=6Pir
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: