----- Original Message -----
Sent: Thursday, June 13, 2002 3:59
AM
Subject: Re: [FW-1] [fw-1] Instant
Messenger bypass FW-1
I' ve been watching this for some days now. Yes I agree that
AIM and others pose a great security threat for a Company. But how does it
pose a great security threat? I mean that someone (maybe a Firewall
Administrator) should put something like (InternalNET)-(Any)-(TCP/UDP
53)-(Accept) inside the rule base. He or she could also put something
(DnsGroup) blah-blah-Accept inside the rule base. In both cases, if the client
with the AIM installed is included in there you people have a problem. You may
also have a problem if AIM can connect using a proxy server over
HTTP-HTTPS-FTP etc. But, isn't something like a best practise (or the ONE AND
ONLY DEFAULT RULE ANY-ANY-ANY-DROP-LONG) to deny both incoming and outgoing
connections when installing a firewall? Shouldn't everyone start by denying
EVERYTHING and then ACCEPTING only the ones ABSOLUTELY neccessary? I really
don;t know if the AIM client can use a proxy server to initiate a connection
and connect to the AIM servers. What I believe is that Companies, that have
allready invested $K's on security, could afford install a chat server. Most
Companies have M$ Exchange server, so they could install M$ Chat Server (I
believe it is free of charge) and so they could communicate with the remote
branches all over the world using M$ Chat. This would satisfy their need of
cheap-easy-ready-to-rock communications. Needless to say that they can
configure both the Server and Firewall accept connections from specific hosts
and noone else. Companies that don't have M$ Exchange Server could settle with
something else (I don;t know what, maybe AIM Server or something else, I guess
that there are a lot of freeware or low-cost programs out there). So what's
all the commotion? What about ICMP? Should one allow outgoing and incoming
ICMP for everyone in the Corporate Domain? I don't think so. ICMP poses
another great threat for Companies. Needless to say that ICMP is an
administrative tool that it's use should be allowed ONLY for the
Administrators of a Company. Come on people, we are supposed to be Firewall
Administrators or something like that. We are not supposed to let everything
in and out of our Domains. I cannot also understand some people letting the
implied rules on. Many Admnistrators do that? How come? Are you bored to find
out what you should do to have the same functionality using explicit rules? Is
it so hard to put some rules allowing connections to the Firewall ONLY from
specific hosts (Management Server, Logging Administrator, Firewall Engineer
etc)? I don't think so. Another thing for AIM is (maybe I am wrong though)
that one could start a network monitor and capture data and connection
patterns from the AIM client. This way he or she could create a custom service
and finally block the AIM traffic itself rather than the loggin servers for
AIM. Just some thoughts I have.
P.S. I am not a Firewall or Security expert and I don't
consider myself of being one. One thing I know is that, no matter how hard or
pain the *** it is, you should start by defining
(ANY)-(ANY)-(ANY)-(DROP)-(LONG) in the rulebase, rather than
(ANY)-(ANY)-(ANY)-(ACCEPT). You can argue if you want to.
Cheers
Dimitris.
-----Original Message-----
From: Don
[mailto:[email protected]]
Sent: Wednesday, June 12, 2002 6:44 PM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
> All stateful firewalls and packet filtering devices will
be vulnerable to
> this type of behavior because
they use information contained in the network
> (ip
addresses) and transport (tcp/udp/etc) to determine whether or not
> information should go through the firewall. Any
malicious or "slippery"
> software will easily
bypass a firewall in the outbound direction.
Only if
your policy allows all outbound traffic, which it should not.
(I do this all the time anyway... just pointing out best
practices)
> In some cases, inbound traffic is subject to this
as well. For
> instance, one piece of
software used IMCP echo replies to communicate
>
with "controlled" machines.
There is almost no reason
to allow internal machines to ping out to the
Internet
in the first place. Block ICMP both ways and this is not a
problem. Allow echo replies to a single trusted system that you
control
and can use for network testing.
-Don
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set
fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please
see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================