From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
Cc: netfilter@lists.netfilter.org, Jimmy Hedman <jimmy.hedman@southpole.se>
Subject: Re: Completely Bypassing a Firewall?!
Date: Sat, 28 Jan 2006 23:31:13 -0500 [thread overview]
Message-ID: <1138509073.2883.45.camel@localhost> (raw)
In-Reply-To: <43DA3441.5090901@gmx.net>
On Fri, 2006-01-27 at 15:54 +0100, Carl-Daniel Hailfinger wrote:
> Jimmy Hedman schrieb:<snip>
> >
> > If you have someone at the "inside" there is no problem to create tunnels
> > with for example OpenVPN that completly "bypasses" the firewall. If you
> > create a tunnel with OpenVPN over https and bridge the networks together
> > you could get everything through with the traffic looking just like
> > ordinary https-traffic.
> > But with only access from the outside it is very vary hard, if not
> > impossible.
>
> Yes, but finding a sufficiently naive user will probably be easy. I wrote
> such a tool myself (but it used a few java quirks), so if you can get
> somebody inside to click on something you present him, every other defense
> (except cutting the wire physically or logically) is worthless. Hey, you
> could even use the WMF exploit for such a purpose.
<snip>
This is one of the big reasons why we started the ISCS project
(http://iscs.sourceforge.net). In the ISCS model, even if a remote user
(or internal user for that matter) was completely compromised and an
intruder merrily poised at their console, the intruder can still only do
what the user can do and the user can be restricted at the network level
to access on an as needed basis. In other words, it is very easy in
ISCS to say something like "sales staff has access to only sales data".
If a sales person's computer is compromised, it cannot be used to try to
access administrative functions or executive data or anything that a
sales user is not allowed to access - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
next prev parent reply other threads:[~2006-01-29 4:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-25 14:07 Completely Bypassing a Firewall?! Jason Noble
2006-01-25 17:02 ` /dev/rob0
2006-01-26 3:48 ` Mark E. Donaldson
2006-01-27 8:50 ` Jimmy Hedman
2006-01-27 14:54 ` Carl-Daniel Hailfinger
2006-01-29 4:31 ` John A. Sullivan III [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-01-25 14:28 Derick Anderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1138509073.2883.45.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=c-d.hailfinger.devel.2006@gmx.net \
--cc=jimmy.hedman@southpole.se \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.