Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: DNS Client Ports
From: Marcus J Ranum <mjr @ TIS . COM>
Date: Sun, 14 Mar 93 14:31:37 EST
To: amoss @ cs . huji . ac . il, firewalls @ GreatCircle . COM

>|	One implication is that anyone with a tunnelling driver can
>|run IP tunnelled through your firewall using NS packets as the
>|transport layer.
>
>You mean that it could be used to transfer data you don't want to be transfered
>to/from your site, right?  If I don't hold secrets at my site and just want to
>prevent un-authorised access from outside then I shouldn't be concerned with
>it (at least not too much),  right?

	Right. It depends on the security policy you're trying to enforce.
If you don't have any concern about someone exporting data from your
network, and you more or less trust all the folks on your network not to
try to circumvent your security, then you're OK. Tunnelling is only a
threat if you have someone who, for some reason or other, feels that
they want to get around your firewall completely, or wants to let a buddy
in. Since usually setting up a tunnel involves some games with routing
on both ends, it's not as if it's going to leave you open to the entire
internet.  I guess if someone did break into a machine on the inside,
setting up a tunnel would be a pretty nice way of getting in and out of
your network to play around, since it lets you completely side-step the
firewall.

	I haven't put any real thought into other fun attacks you can
launch with a tunnelling driver. The version I wrote doesn't do access
checks on the interface(!) so anyone can do the equivalent of an "ifconfig"
on it. It detaches itself from the interface list when it's closed down,
so aside from /dev/tun* it's invisible when you shut it off. (And of
course the device can be named anything you like)  - Depending on the
local routing situation, if folks rely on .rhosts, you might be able
to somehow bring up a tunnel and make it pretend to be another machine
for the purposes of spoofing rlogin and whatnot, but I don't see
what that buys you. I guess you could spoof a remote machine by
advertising a route (if the victim's site uses RIP) and configuring
a tunnel to pretend to be that machine. Might come in handy for
breaking in via NFS, come to think of it.

	I'm not sure how much of a threat tunnelling poses. It's certainly
an interesting (and amusing!) problem, though. It's less amusing if you
are concerned with controlling export of information, or are dealing with
an industrial spy or someone who really has it in for you and wants to
let all his buddies in to dance on your net.

mjr.


Indexed By Date Previous: Re: DNS Client Ports
From: Amos Shapira <amoss @ cs . huji . ac . il>
Next: Cisco access-list compiler anyone?
From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread Previous: Re: DNS Client Ports
From: Amos Shapira <amoss @ cs . huji . ac . il>
Next: Cisco access-list compiler anyone?
From: Amos Shapira <amoss @ cs . huji . ac . il>

Google
 
Search Internet Search www.greatcircle.com