Prev: FM radio in mobile phones
Next: Black box inventor David Warren dies at 85
From: D Yuniskis on 21 Jul 2010 12:43
Hi,

I'm looking for ideas on ways to subvert firewalls for
short messages. I.e., passing what *appears* to be
*legitimate* traffic through a (properly configured)
firewall that is, in fact, *not* acting in the "apparent"
purpose. In particular, I'm interested in some of the
"less obvious" ways of doing so.

I'm concerned with "classic" firewalls, here (e.g.,
running on a bastion host) -- not the MS variety
(the idea of running a firewall on a desktop machine
seems *too* funny! :> )

Thx,
--don
From: Tim Wescott on 21 Jul 2010 12:52
On 07/21/2010 09:43 AM, D Yuniskis wrote:
> Hi,
>
> I'm looking for ideas on ways to subvert firewalls for
> short messages. I.e., passing what *appears* to be
> *legitimate* traffic through a (properly configured)
> firewall that is, in fact, *not* acting in the "apparent"
> purpose. In particular, I'm interested in some of the
> "less obvious" ways of doing so.
>
> I'm concerned with "classic" firewalls, here (e.g.,
> running on a bastion host) -- not the MS variety
> (the idea of running a firewall on a desktop machine
> seems *too* funny! :> )

Do you have a *legitimate* reason?

This is far easier to do if your purpose is to enact point-to-point
communication between two cooperative computers via a 'unfriendly'
firewall than if you have some need to drill through a firewall to
unknown software on the other side.

I know it can be done: I remember a conversation with a fellow at the
Embedded Systems Conference whose company had figured out how to make
their VPN work on the http port (port 80?), so that they could log into
their network through hotel ethernet connections while on the road.

--

Tim Wescott
Wescott Design Services
http://www.wescottdesign.com

Do you need to implement control loops in software?
"Applied Control Theory for Embedded Systems" was written for you.
See details at http://www.wescottdesign.com/actfes/actfes.html
From: Vladimir Vassilevsky on 21 Jul 2010 13:11


D Yuniskis wrote:

> Hi,
>
> I'm looking for ideas on ways to subvert firewalls for
> short messages. I.e., passing what *appears* to be
> *legitimate* traffic through a (properly configured)
> firewall that is, in fact, *not* acting in the "apparent"
> purpose. In particular, I'm interested in some of the
> "less obvious" ways of doing so.
>
> I'm concerned with "classic" firewalls, here (e.g.,
> running on a bastion host) -- not the MS variety
> (the idea of running a firewall on a desktop machine
> seems *too* funny! :> )

To establish any communication, at least one computer outside must have
open server port. Clients could connect to it and communicate to each
other through whatever outbound connections allowed by firewall. There
is no problem to encapsulate your data into http or any other common
protocol.

VLV

From: D Yuniskis on 21 Jul 2010 13:44
Hi Tim,

Tim Wescott wrote:
> On 07/21/2010 09:43 AM, D Yuniskis wrote:
>
>> I'm looking for ideas on ways to subvert firewalls for
>> short messages. I.e., passing what *appears* to be
>> *legitimate* traffic through a (properly configured)
>> firewall that is, in fact, *not* acting in the "apparent"
>> purpose. In particular, I'm interested in some of the
>> "less obvious" ways of doing so.
>>
>> I'm concerned with "classic" firewalls, here (e.g.,
>> running on a bastion host) -- not the MS variety
>> (the idea of running a firewall on a desktop machine
>> seems *too* funny! :> )
>
> Do you have a *legitimate* reason?

Of course! For "illegitimate" reasons, you can be far
more brazen and careless in your approach...

> This is far easier to do if your purpose is to enact point-to-point
> communication between two cooperative computers via a 'unfriendly'
> firewall than if you have some need to drill through a firewall to
> unknown software on the other side.
>
> I know it can be done: I remember a conversation with a fellow at the
> Embedded Systems Conference whose company had figured out how to make
> their VPN work on the http port (port 80?), so that they could log into
> their network through hotel ethernet connections while on the road.

Yes, you just need to find a protocol that is *likely* to be
tolerated by the firewall and an appropriate port. The
trick lies in deciding A PRIORI (remember the E in c.a.e)
what that strategy will be -- without knowledge of the
particular firewall (and its configuration) you are likely
to encounter.

Folks using a laptop in a hotel have much more leeway:
their strategy can be adaptive (as adaptive as the humans
involved can be!); and, the firewall in question will
already (typically) have been configured to be highly
permissive (since, presumably, the hotel wants to offer
this as an amenity to its guests).
From: D Yuniskis on 21 Jul 2010 13:52
Hi Vladimir,

Vladimir Vassilevsky wrote:

> D Yuniskis wrote:
>
>> I'm looking for ideas on ways to subvert firewalls for
>> short messages. I.e., passing what *appears* to be
>> *legitimate* traffic through a (properly configured)
>> firewall that is, in fact, *not* acting in the "apparent"
>> purpose. In particular, I'm interested in some of the
>> "less obvious" ways of doing so.
>>
>> I'm concerned with "classic" firewalls, here (e.g.,
>> running on a bastion host) -- not the MS variety
>> (the idea of running a firewall on a desktop machine
>> seems *too* funny! :> )
>
> To establish any communication, at least one computer outside must have
> open server port. Clients could connect to it and communicate to each
> other through whatever outbound connections allowed by firewall. There
> is no problem to encapsulate your data into http or any other common
> protocol.

The problem lies in my expectation of a "(properly configured)"
firewall.

A good security officer will look at *each* node on his network
and configure the firewall to allow the *minimum* connectivity
REQUIRED by the device in question. Then, write rules to
restrict the traffic between that node and the outside world
to *exactly* that level -- nothing more.

If, for example, the device in question is a laptop, then the
MAC/IP associated witht he laptop will probably have very
permissive rules regarding what it can and can't talk to on
the outside.

OTOH, if the device in question is a temperature sensor (recall
this is c.a.e), chances are it *won't* be allowed to access
websites, send email, etc. directly with the outside world! :>
Likewise, the outside world will be "hindered" from accessing
that device as well (no doubt, this example would have the
device "not routed"... but, with some thought, you can come
up with a device that *will* be routed -- though with limits
placed on its connectivity).

So, the task is to come up with "non-obvious" (see my post)
ways of drilling through the firewall's rule set.

Before the days of switches, this would have been easier
as network/peer discovery was almost "free". But, now the
switch limits just what traffic you see and, thus, how much
you can glean about the rest of the network (and the traffic
that the firewall is allowing for those *other* nodes)
 |  Next  |  Last
Pages: 1 2 3 4
Prev: FM radio in mobile phones
Next: Black box inventor David Warren dies at 85