[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: large campus network ... sugestions

Hi Jonas,

I didn't explain well... L7 filtering is easily defeated by SSL-wrapping
any TCP-service on 443 port so you can install a SSL'rized SSH or Squid
server (for instance) on that port and use it to freely surf the net :)
Your firewall will only see aparently-legit SSL connections to an
aparently-legit destination port (443). Hacker win, admin loose :-)

I repeat it: I don't know of any solution able to defeat this and would
like to know if you have some idea to detect these more-or-less "advanced"
bypass cases.

Kind regards.

Jonas Andradas escribió:
> For Layer-7 filtering, you could check
> Application Layer Packet Classifier for Linux:
> http://l7-filter.sourceforge.net/
> Kernel Iptables Layer 7:  http://l7-filter.sourceforge.net/HOWTO-kernel

> On Dec 14, 2007 6:53 PM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:
>> Willi Mann escribió:

>> If you want to permit HTTPS, you have to allow CONNECT to (at least)
>> 443/tcp. So it's easy to tunnel through that port and get a "clean"
>> internet connection.
>> I don't know of any solution (level 7 filtering, etc) able to defeat this
>> kind of tricks.



PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Reply to: