On Sun, Jun 17, 2001 at 10:38:30AM +0100, Robert Davies wrote: > > But can't they just try to use a connection which you permit, to port 80 > for > instance to make it look like HTTP, or use DNS port 53. I think you're > 'hoping' they'll use a non-stealthy port, like an IRC DCC connection on the > default port for controlling something like an eggdrop bot, on ports you > don't usually use. > <snip> > > What you're really showing here is that allowing Masquerading or Forwarding > (if you use assigned IPs, rather than private) and relying on packet > filtering is less secure than not permitting it at all, and using an > applicaton gateway eg) proxy. Off course they can use an allowed port, and blocking all but a few outgoing ports wouldn't help you there. But equally as they (usually) use IRC now, they could use HTTP to get things done. Your application aware proxy wouldn't buy you anything, it would just let things go through. (If I were to write a bot, I *would* use HTTP and/or HTTPS - these ports are nearly never blocked; the only reason why people currently don't is because it's probably just a lot easier to program an irc bot) Regards, Filip -- "From a security perspective, Bluetooth is a disaster waiting to happen." -- Martin Reynolds
Attachment:
pgpRRUWDQQa74.pgp
Description: PGP signature