|
Posted by Mr. Arnold on April 7, 2008, 7:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Mr. Arnold wrote:
>
>
>> Look man, I was contacting my ISP's NNTP server on TCP 119 and POP3 TCP
>> 110/SMTP on TCP 587
>
>
> 587 is typically SUBMISSION (which is essentially SMTP but with a bit
> relaxed semantics to allow more stringent spam filtering).
That's what the ISP told me why they were using 587. I still get a lot of
spam, but that's to be expected by Earthlink. The only reason I use
Earthlink is becuase I can use a BB or dial-up connection.
>
>> So, are you going to sit there and tell me you have some kind of slick
>> little program that hidding your activities, and that the FW admin can't
>> see what you're doing? <g>
>
>
> Not that I'd support using such tools for circumventing a company's
> network policy (which exists for a good reason), but yes, such tools
> exists. In fact, one can even create cryptographically secure hidden
> channels, that is if you had any method differing them from legitimate
> traffic (yes, even adaptive active attacks) you would also be able to
> break some protocols which are considered cryptographically strong.
I know about the tools. But I doubt that the person I am talking to knows
this and again maybe he does. And if he is doing it, then he his not getting
paid to to that.
|
|
Posted by Sebastian G. on April 7, 2008, 8:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Mr. Arnold wrote:
>>> Look man, I was contacting my ISP's NNTP server on TCP 119 and POP3 TCP
>>> 110/SMTP on TCP 587
>>
>> 587 is typically SUBMISSION (which is essentially SMTP but with a bit
>> relaxed semantics to allow more stringent spam filtering).
>
> That's what the ISP told me why they were using 587.
I rather guess they run SMTP on port 25 as well, but offer SUBMISSION as a
good alternative for the more competent users - after all, it allows you to
generally block outgoing traffic with destination port 25, which immediately
kills off almost any thread of your machine sending out spam when getting
compromised.
> I know about the tools. But I doubt that the person I am talking to knows
> this and again maybe he does.
But Google knows them. And he certainly knowns Google.
|
|
Posted by Poutnik on April 8, 2008, 2:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> What? The traffic travels from the WAN to the LAN. That is traffic that's
> let through the firewall, the trusted and untrusted zone. Whether it be two
> NICS doing a (WAN/LAN) or the WAN/LAN on a FW appliance, traffic is
> controlled between the interfaces, inbound and outbound, the trusted and
> untrusted zones with a FW solution.
Why is so hard to understand I do know all that stuff ? BTW you forgot
to mention DMZ. Just pointing you not to be so much IT focused as being
a human being. I am expecting some abstraction ability at you :-)
> Look man, I was contacting my ISP's NNTP server on TCP 119 and POP3 TCP
> .......
> setting FW rules.
I was not saying anywere they cannot stop my activity.
What I was trying to say it is easy to hide unwanted activity within
legitimate one.
> It never was a FW functionality. It's a snake-oil personal FW solution.
A Snake is your favorite animal, I see :-)
> > There is no need to compromise or even attack FW ( where HW/SW ones are
> > strong ), if you can persuade him.
>
> We are talking about something like Commando that runs with the O/S. The O/S
> can be fooled and so can the snake-oil PFW solution if malware can get there
> and can be executed. It can punceh right through it.
You have twice mentioned Commando - I do not know such PFW.
Every software can be fooled, even such running on FWs,
no matter if in DRAM or NOR Flash.
BTW tests shows malware have hard time to get through PFWs.
And there is very huge difference between packet filter,
as you said PFW are at the best, and today PFWs.
>
> So, what happens at the boot and login process when malware can beat the
> PFW, run and communicate, before the PFW can run to protect the
> connection? The O/S is not waiting for the PFW before the connection is make
> available? The 3rd patry PFW is not an intergrated solution.
Well, You made me little dissappointed at this moment.
I have thought you have better idea about how they work.
Their low level drivers are blocking all connection activity
until PFW application is running.
You may know Perfectdisk as one of leading defragmenting programs,
able to perform "offline" defrag of all system files.
Well It has hard time today, not able to do it.
Latest PFW denies exclusive access for it.
|
|
Posted by Sebastian G. on April 8, 2008, 4:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Every software can be fooled, even such running on FWs,
> no matter if in DRAM or NOR Flash.
Yes, that's the opinion of obviously clueless people. Say I setup a packet
filter to drop every packets, how exactly would you try to circumvent this?
Heck, there's even a special patch for the Linux kernel that ensures that no
packets can be sent whatsoever.
As for a more practical example: I setup a packet filter to only allow HTTP
on port 80 via a proxy, and the proxy does both DNS forwarding and HTTP
proxying. In both application protocols I set up a whitelist of allowed
domains - now how exactly would you circumvent it?
> BTW tests shows malware have hard time to get through PFWs.
Serious tests show how blatantly wrong these tests are.
> And there is very huge difference between packet filter,
> as you said PFW are at the best, and today PFWs.
And that's the problem. Not just that they shouldn't be any more, they
didn't ever manage to even get the packet filtering stuff done right.
> Their low level drivers are blocking all connection activity
> until PFW application is running.
And what happens before the driver is loaded?
> You may know Perfectdisk as one of leading defragmenting programs,
> able to perform "offline" defrag of all system files.
> Well It has hard time today, not able to do it.
> Latest PFW denies exclusive access for it.
If this is really the case, then these PFWs are obviously horribly broken.
|
|
Posted by Poutnik on April 8, 2008, 6:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Poutnik wrote:
>
> Yes, that's the opinion of obviously clueless people. Say I setup a packet
> filter to drop every packets, how exactly would you try to circumvent this?
Easily.
Such settings will be soon replaced by something useful.
Similarly it can be said PC switched off is 100% secure.
But such one is useless one.
>
> As for a more practical example: I setup a packet filter to only allow HTTP
> on port 80 via a proxy, and the proxy does both DNS forwarding and HTTP
> proxying. In both application protocols I set up a whitelist of allowed
> domains - now how exactly would you circumvent it?
easily, by human press to cancel such limited funtionality.
There will be always forced trade off between functionality
and security. Any system is as strong as people let him to be,
not as it could be. This trade off will be always
a weakness by principle, not less serious than
principial ability of PFW to be compromised.
>
> > BTW tests shows malware have hard time to get through PFWs.
> Serious tests show how blatantly wrong these tests are.
Not proved. Well, most you say about PFW, can be easily applied
to AV solutions. Would you persuade people not to use AV ?
The fact there is no 100% secure sw solution of any kind
( and I have never claimed the opposite )
does not mean we should not use it.
Would you not trying to cure a disease, just because there is
no garance of success ?
> > Their low level drivers are blocking all connection activity
> > until PFW application is running.
>
> And what happens before the driver is loaded?
Then there are suspicious data transactions
between other already booted devices
within so called secured LAN HW FWs do not care after.
Who would care about FW in age of notebooks,
palms, IR, wifi, bluetooth and all related stuff ? :-D
I think this discussion probably leads to nowhere.
But I take it like an income, not lost.
Glad to share opinions with all of you.
Thanks for cooperation.
|
| Similar Threads | Posted | | iptables port forwarding - port is filtered, needs to be open | March 11, 2005, 4:15 pm |
| Why is port forwarding more secure than opening up a port? | December 16, 2004, 1:03 pm |
| port forwarding/ opening port | November 2, 2005, 11:03 am |
| ssh and vnc port forwarding | March 11, 2005, 9:11 pm |
| pix + port forwarding | September 26, 2005, 3:34 pm |
| Port forwarding... | December 16, 2007, 3:25 pm |
| How safe is port forwarding? | July 16, 2004, 6:46 pm |
| Port forwarding on a speedtouch 510? | August 6, 2004, 2:30 am |
| Port Forwarding - The Risks? | December 20, 2004, 12:35 am |
| port forwarding problem | March 8, 2005, 2:29 pm |
|
XML site map