Completely Bypassing a Firewall?!

All of lore.kernel.org
 help / color / mirror / Atom feed

* Completely Bypassing a Firewall?!
@ 2006-01-25 14:07 Jason Noble
  2006-01-25 17:02 ` /dev/rob0
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Jason Noble @ 2006-01-25 14:07 UTC (permalink / raw)
  To: netfilter

We just heard a rumor about our rival company, that they have developed
a "system" that can completely bypass a properly-configured/locked-down
firewall (netfilter or any other).

Is this truly possible? with only external access and no software that's
already been planted inside the firewall?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Completely Bypassing a Firewall?!
  2006-01-25 14:07 Completely Bypassing a Firewall?! Jason Noble
@ 2006-01-25 17:02 ` /dev/rob0
  2006-01-26  3:48 ` Mark E. Donaldson
  2006-01-27  8:50 ` Jimmy Hedman
  2 siblings, 0 replies; 7+ messages in thread
From: /dev/rob0 @ 2006-01-25 17:02 UTC (permalink / raw)
  To: netfilter

On Wednesday 2006-January-25 08:07, Jason Noble wrote:
> We just heard a rumor about our rival company, that they have
> developed a "system" that can completely bypass a
> properly-configured/locked-down firewall (netfilter or any other).
>
> Is this truly possible? with only external access and no software
> that's already been planted inside the firewall?

The rumour and the question could only come from someone who has no 
understanding of firewalls. No. If your company provides firewalling 
products, you just made your company look bad. Might as well name the 
rival here, so they look bad too. :)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Completely Bypassing a Firewall?!
  2006-01-25 14:07 Completely Bypassing a Firewall?! Jason Noble
  2006-01-25 17:02 ` /dev/rob0
@ 2006-01-26  3:48 ` Mark E. Donaldson
  2006-01-27  8:50 ` Jimmy Hedman
  2 siblings, 0 replies; 7+ messages in thread
From: Mark E. Donaldson @ 2006-01-26  3:48 UTC (permalink / raw)
  To: 'Jason Noble', netfilter

Yes it is possible. Hack the root password on the box, rewrite the ruleset,
and then load the ruleset. But ya know, I think that possibility has always
existed. 

##########################################
This is coming from the home and office of:

Mark E. Donaldson
Bandwidthco Computer Security
markee@bandwidthco.com
http://www.bandwidthco.com/

Copyright C 1999 Bandwidthco.com. All rights reserved.

4500 0028 a66b 4000 8006 d307 c0a8 000a
c0a8 0002 0871 0bc3 572b 25f7 ca7d 1b60
5010 f64c c0f6 0000 0000 0000 0000
##########################################
CCNA, OCP, GSEC, GCFW, GCIH, GCIA, GCUX, GCFA, X-Ways (WinHex) Forensics
Certified
##########################################
Hacking is the process of influencing a computer system
in such a way that it performs an action that is useful to you.
##########################################
  .~.    
  /V\     
  /( )\   
^^-^^ 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jason Noble
Sent: Wednesday, January 25, 2006 6:07 AM
To: netfilter@lists.netfilter.org
Subject: Completely Bypassing a Firewall?!

We just heard a rumor about our rival company, that they have developed a
"system" that can completely bypass a properly-configured/locked-down
firewall (netfilter or any other).

Is this truly possible? with only external access and no software that's
already been planted inside the firewall?

########################################################
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

postmaster@bandwidthco.com
MailScanner at Bandwidthco Computer Security is for your absolute
protection.
########################################################

########################################################
This message has been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.

postmaster@bandwidthco.com
MailScanner at Bandwidthco Computer Security is for your absolute protection.
########################################################

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Completely Bypassing a Firewall?!
  2006-01-25 14:07 Completely Bypassing a Firewall?! Jason Noble
  2006-01-25 17:02 ` /dev/rob0
  2006-01-26  3:48 ` Mark E. Donaldson
@ 2006-01-27  8:50 ` Jimmy Hedman
  2006-01-27 14:54   ` Carl-Daniel Hailfinger
  2 siblings, 1 reply; 7+ messages in thread
From: Jimmy Hedman @ 2006-01-27  8:50 UTC (permalink / raw)
  To: Jason Noble; +Cc: netfilter

> We just heard a rumor about our rival company, that they have developed
> a "system" that can completely bypass a properly-configured/locked-down
> firewall (netfilter or any other).
>
> Is this truly possible? with only external access and no software that's
> already been planted inside the firewall?
>
If you have someone at the "inside" there is no problem to create tunnels
with for example OpenVPN that completly "bypasses" the firewall. If you
create a tunnel with OpenVPN over https and bridge the networks together
you could get everything through with the traffic looking just like
ordinary https-traffic.
But with only access from the outside it is very vary hard, if not
impossible.

// Jimmy



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Completely Bypassing a Firewall?!
  2006-01-27  8:50 ` Jimmy Hedman
@ 2006-01-27 14:54   ` Carl-Daniel Hailfinger
  2006-01-29  4:31     ` John A. Sullivan III
  0 siblings, 1 reply; 7+ messages in thread
From: Carl-Daniel Hailfinger @ 2006-01-27 14:54 UTC (permalink / raw)
  To: Jimmy Hedman; +Cc: netfilter

Jimmy Hedman schrieb:
>>We just heard a rumor about our rival company, that they have developed
>>a "system" that can completely bypass a properly-configured/locked-down
>>firewall (netfilter or any other).

Properly locked down = no connection to the outside possible, not even
via proxy. No ICMP, no DNS, no SMTP. Well, in that case it would be
interesting to see them break that. OTOH, such a thing makes it impossible
for anyone to surf the net or send mails.

>>Is this truly possible? with only external access and no software that's
>>already been planted inside the firewall?
>>
> 
> If you have someone at the "inside" there is no problem to create tunnels
> with for example OpenVPN that completly "bypasses" the firewall. If you
> create a tunnel with OpenVPN over https and bridge the networks together
> you could get everything through with the traffic looking just like
> ordinary https-traffic.
> But with only access from the outside it is very vary hard, if not
> impossible.

Yes, but finding a sufficiently naive user will probably be easy. I wrote
such a tool myself (but it used a few java quirks), so if you can get
somebody inside to click on something you present him, every other defense
(except cutting the wire physically or logically) is worthless. Hey, you
could even use the WMF exploit for such a purpose.

Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Completely Bypassing a Firewall?!
  2006-01-27 14:54   ` Carl-Daniel Hailfinger
@ 2006-01-29  4:31     ` John A. Sullivan III
  0 siblings, 0 replies; 7+ messages in thread
From: John A. Sullivan III @ 2006-01-29  4:31 UTC (permalink / raw)
  To: Carl-Daniel Hailfinger; +Cc: netfilter, Jimmy Hedman

On Fri, 2006-01-27 at 15:54 +0100, Carl-Daniel Hailfinger wrote:
> Jimmy Hedman schrieb:<snip>
> > 
> > If you have someone at the "inside" there is no problem to create tunnels
> > with for example OpenVPN that completly "bypasses" the firewall. If you
> > create a tunnel with OpenVPN over https and bridge the networks together
> > you could get everything through with the traffic looking just like
> > ordinary https-traffic.
> > But with only access from the outside it is very vary hard, if not
> > impossible.
> 
> Yes, but finding a sufficiently naive user will probably be easy. I wrote
> such a tool myself (but it used a few java quirks), so if you can get
> somebody inside to click on something you present him, every other defense
> (except cutting the wire physically or logically) is worthless. Hey, you
> could even use the WMF exploit for such a purpose.
<snip>
This is one of the big reasons why we started the ISCS project
(http://iscs.sourceforge.net).  In the ISCS model, even if a remote user
(or internal user for that matter) was completely compromised and an
intruder merrily poised at their console, the intruder can still only do
what the user can do and the user can be restricted at the network level
to access on an as needed basis.  In other words, it is very easy in
ISCS to say something like "sales staff has access to only sales data".
If a sales person's computer is compromised, it cannot be used to try to
access administrative functions or executive data or anything that a
sales user is not allowed to access - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com



^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Completely Bypassing a Firewall?!
@ 2006-01-25 14:28 Derick Anderson
  0 siblings, 0 replies; 7+ messages in thread
From: Derick Anderson @ 2006-01-25 14:28 UTC (permalink / raw)
  To: netfilter

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Jason Noble
> Sent: Wednesday, January 25, 2006 9:07 AM
> To: netfilter@lists.netfilter.org
> Subject: Completely Bypassing a Firewall?!
> 
> 
> We just heard a rumor about our rival company, that they have 
> developed
> a "system" that can completely bypass a 
> properly-configured/locked-down
> firewall (netfilter or any other).
> 
> Is this truly possible? with only external access and no 
> software that's
> already been planted inside the firewall?

Depends on how you define "bypass". Can you send SMTP data through port
80? Yes. You can also "bypass" any firewall which filters on source port
but not destination port, but this isn't considered properly configured
much less locked down. Are you sure they're not talking about I[D|P]Ses?
There have been several white papers over the last few years on
bypassing those, and some people think that firewall = IPS.

Maybe this rival company has been watching too many recent movie
previews with Harrison Ford in them. If Harrison Ford works for you (and
you happen to be a bank), then I'd be worried. =)

Derick Anderson

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2006-01-29  4:31 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-01-25 14:07 Completely Bypassing a Firewall?! Jason Noble
2006-01-25 17:02 ` /dev/rob0
2006-01-26  3:48 ` Mark E. Donaldson
2006-01-27  8:50 ` Jimmy Hedman
2006-01-27 14:54   ` Carl-Daniel Hailfinger
2006-01-29  4:31     ` John A. Sullivan III
  -- strict thread matches above, loose matches on Subject: below --
2006-01-25 14:28 Derick Anderson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.