From: "Jesse W. Asher" <jasher1@tampabay.rr.com>
To: netfilter@lists.samba.org
Subject: Re: Natted IRC "inherently insecure"?
Date: Mon, 08 Jul 2002 19:26:00 -0400 [thread overview]
Message-ID: <3D2A1F88.9040102@tampabay.rr.com> (raw)
In-Reply-To: 20020708001941.GC653@ns
[-- Attachment #1: Type: text/plain, Size: 2268 bytes --]
So, if the firewall is set up securely so that ports above 1024 are not
unfiltered and a "helper application" is in place to help with DCC, then
IRC is not "inherently insecure"?
Stephen Frost wrote:
>* Jesse W. Asher (jasher1@tampabay.rr.com) wrote:
>
>
>>Someone recently indicated to me that they believed that natting IRC
>>through a firewall was "inherently insecure" and I wanted to get
>>opinions on that statement. I guess, in my mind, it isn't any more or
>>less secure than any other service natted through the firewall - it all
>>depends on how comfortable you feel with the inherent security of the
>>client/tool that you're using.
>>
>>Comments?
>>
>>
>
>The client/tool is one thing but I think what they were probably getting
>at is the issue of DCC. The problem with DCC is that it expects to be
>able to reach any >1024 port on the remote system. The two clients work
>out, over the IRC network, the ports to use. If your firewall doesn't
>allow connections to high ports outbound or inbound, and you don't use
>some kind of IRC helper in your firewall, then DCC won't work. This may
>be acceptable to you but some people feel they need DCC. Using an IRC
>helper in your firewall can mitigate these problems some. They can't
>fix everything though because of the way in which the DCC protocol
>works. A user using DCC can potentially allow a scan of the high ports
>on at least the machine they're IRC'ing from.
>
>Unfortunately I'm not very familiar with the internals of the netfilter
>IRC-helper module or what checks it does but there are some things it
>has no way to know due simply to where it has to be and what it gets to
>see. I havn't heard of many people getting attacked in such a way
>though so the chances of you being exploited in that way are probably
>pretty slim. Unless you have someone going for you specifically using
>an IRC helper will probably be enough. Most attackers are going for
>'easy' targets, things they can sweep large network blocks for; such as
>the recent OpenSSH holes, various Windows-based services, etc.
>
> Stephen
>
>
--
Jesse W. Asher
"They that can give up essential liberty to purchase a little temporary
safety, deserve neither liberty or safety." - Benjamin Franklin
[-- Attachment #2: Type: text/html, Size: 2760 bytes --]
next prev parent reply other threads:[~2002-07-08 23:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-04 11:42 Natted IRC "inherently insecure"? Jesse W. Asher
2002-07-08 0:19 ` Stephen Frost
2002-07-08 0:38 ` Martin Josefsson
2002-07-08 23:26 ` Jesse W. Asher [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-07-04 22:10 George Vieira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D2A1F88.9040102@tampabay.rr.com \
--to=jasher1@tampabay.rr.com \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox