Any working TCP/IP connection can transmit covert data by encoding the
data in the sequence numbers.
Let's not forget to block/allow new protocols such as described in RFC 1149
On 5/7/07, Open Phugu <[EMAIL PROTECTED]> wrote:
On 5/7/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >From: Sebas
On 5/7/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>From: Sebastian Benoit <[EMAIL PROTECTED]>
>
>If you want deny users the possiblility to smuggle data outside of
their
>workplace (or whatever) then don't connect them to the internet.
No, no, no. You must go one step beyond this if you w
On 4/25/07, Allen Theobald <[EMAIL PROTECTED]> wrote:
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing
>From: Sebastian Benoit <[EMAIL PROTECTED]>
>
>If you want deny users the possiblility to smuggle data outside of
their
>workplace (or whatever) then don't connect them to the internet.
No, no, no. You must go one step beyond this if you want to
prevent employees from smuggling data. To do thi
On Fri, 2007-05-04 at 09:47 -0400, Bret Lambert wrote:
> On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote:
> > > if you deny icmp, you shall burn in hell
> > You may burn in hell, but ICMP can be used to infiltrate and exfiltrate
data:
> > http://www.cs.uit.no/~daniels/PingTunnel/
>
> This looks
Bret Lambert([EMAIL PROTECTED]) on 2007.05.04 09:47:43 +:
> This looks like it's pretty trivially defeated; bzero()'ing the data
> portion of the ICMP echo request/response removes the piggybacked data
> channel.
Then I'll encode my data with the morse over ping protocol.
If a user can send a
On Fri, May 04, 2007 at 07:26:32AM -0600, Open Phugu wrote:
> On 5/4/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
> >* Chad M Stewart <[EMAIL PROTECTED]> [2007-04-25 19:31]:
> >> On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> >> >pass in inet proto icmp all icmp-type $icmp_types keep state
On Friday 04 May 2007 15:42:58 Henning Brauer wrote:
> so can underwear, so let us require everybody to work naked
Actually, depending who you work with, this can be a good thing...
--
Antoine
On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote:
> > if you deny icmp, you shall burn in hell
> You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data:
> http://www.cs.uit.no/~daniels/PingTunnel/
>
>
This looks like it's pretty trivially defeated; bzero()'ing the data
p
* Open Phugu <[EMAIL PROTECTED]> [2007-05-04 15:36]:
> On 5/4/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
> >* Chad M Stewart <[EMAIL PROTECTED]> [2007-04-25 19:31]:
> >> On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> >> >pass in inet proto icmp all icmp-type $icmp_types keep state
> >>
>
On 5/4/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
* Chad M Stewart <[EMAIL PROTECTED]> [2007-04-25 19:31]:
> On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> >pass in inet proto icmp all icmp-type $icmp_types keep state
>
> This can be used as a covert communication channel. Allowing
> i
* Chad M Stewart <[EMAIL PROTECTED]> [2007-04-25 19:31]:
> On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> >pass in inet proto icmp all icmp-type $icmp_types keep state
>
> This can be used as a covert communication channel. Allowing
> internal IPs to send/receive ping is bad.
that is th
On Wed, 25 Apr 2007 16:29:17 -0600
Tobias Weingartner <[EMAIL PROTECTED]> wrote:
> On Wednesday, April 25, Timo Schoeler wrote:
> >
> > actually, me thinks the same about allowing/denying ICMP as you,
> > tobias. however, we recently had a CCIE/NSA certified blahblah guy
> > in our company, tunin
Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
Bull. Not allowing ICM
On Wednesday 25 April 2007 17:48, Jason Dixon wrote:
> Tobias Weingartner wrote:
> > Telling people to worry about the door to the barn after the horse
> > has left is not FUD? It's not misdirection? Tell them to solve
> > the root of their problems instead.
>
> Don't poo-poo his effort to mitiga
Tobias Weingartner wrote:
Telling people to worry about the door to the barn after the horse
has left is not FUD? It's not misdirection? Tell them to solve the
root of their problems instead.
Don't poo-poo his effort to mitigate information leaks.
Did you realize that even LAMP can be used
On Wednesday, April 25, Chad M Stewart wrote:
>
> I did NOT suggest blocking ALL ICMP, just echo-request and echo-
> replies from internal hosts to untrusted IPs.
And how is this not violating RFCs?
> Trojans have used echo-request and echo-reply as a method of covert
> communication.
I've you
On 2007/04/26 08:02, Mathieu Sauve-Frankel wrote:
> > I did NOT suggest blocking ALL ICMP, just echo-request and echo-
> > replies from internal hosts to untrusted IPs. Trojans have used
> > echo-request and echo-reply as a method of covert communication. If
> > you had read the original po
On 2007/04/26 01:01, chefren wrote:
> Although it's not well known TCP seriously depends on ICMP packets of
> type 3 code 4 for "Path MTU Discovery" (PTMTUD). Blocking of these
> packets lead to congested IP connections, broken transmissions and thus
> to frustrated users.
for PF, 'keep state'
Although it's not well known TCP seriously depends on ICMP packets of
type 3 code 4 for "Path MTU Discovery" (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
Some documentation:
http://en.wikipedia.org/wiki/Pmtud
http://
> I did NOT suggest blocking ALL ICMP, just echo-request and echo-
> replies from internal hosts to untrusted IPs. Trojans have used
> echo-request and echo-reply as a method of covert communication. If
> you had read the original post you'd see that $icmp_types was defined
> to be echore
On Wednesday, April 25, Timo Schoeler wrote:
>
> actually, me thinks the same about allowing/denying ICMP as you,
> tobias. however, we recently had a CCIE/NSA certified blahblah guy in
> our company, tuning our, err, Cizcoooeee equipment.
>
> guess what he did -- he violated 'the RFCs'.
>
> unf
On 25/04/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
> On Wed, 25 Apr 2007 20:19:42 + (UTC)
> Tobias Weingartner <[EMAIL PROTECTED]> wrote:
>
> > Chad M Stewart wrote:
> > > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
On Wed, 25 Apr 2007 23:56:50 +0200
Joachim Schipper <[EMAIL PROTECTED]> wrote:
> On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
> > On Wed, 25 Apr 2007 20:19:42 + (UTC)
> > Tobias Weingartner <[EMAIL PROTECTED]> wrote:
> >
> > > Chad M Stewart wrote:
> > > > On Apr 25, 2007,
On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote:
> On Wed, 25 Apr 2007 20:19:42 + (UTC)
> Tobias Weingartner <[EMAIL PROTECTED]> wrote:
>
> > Chad M Stewart wrote:
> > > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> > > >
> > > > pass in inet proto icmp all icmp-type $ic
On Apr 25, 2007, at 4:19 PM, Tobias Weingartner wrote:
Chad M Stewart wrote:
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is
On Wed, 25 Apr 2007 20:19:42 + (UTC)
Tobias Weingartner <[EMAIL PROTECTED]> wrote:
> Chad M Stewart wrote:
> > On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> > >
> > > pass in inet proto icmp all icmp-type $icmp_types keep state
> >
> > This can be used as a covert communication chan
Chad M Stewart wrote:
> On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
> >
> > pass in inet proto icmp all icmp-type $icmp_types keep state
>
> This can be used as a covert communication channel. Allowing
> internal IPs to send/receive ping is bad.
Bull. Not allowing ICMP is just as b
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing
internal IPs to send/receive ping is bad.
As for your question, only allow internal devices to do what you want
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing dansguardian
by changing their browser to point to 3
30 matches
Mail list logo
