Firewalls: Re: FW: PC Take-Over -- reply

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: FW: PC Take-Over -- reply
From:	"Chuck Yerkes" <yerkes_chuck @ jpmorgan . com>
Date:	Fri, 6 Jan 1995 17:48:53 -0500
To:	Don Krapf <dkrapf @ access . digex . net>
Cc:	Firewalls @ GreatCircle . COM

[general scenario describing trojan horse program on your machine deleted
for space]

> The only defense I can see against it is a very restrictive policy
> regarding outgoing TCP connections carrying arbitrary data.  (e.g. none
> except to predefined hosts)  Even if outbound telnet is restricted,
> the RPC mechanism could be made to work over a pair of FTP data
> connections.  It wouldn't matter whether they were going through a
> proxy or not.  Practically any live exchange of arbitrary data would do.

Well, you can (1) only allow outbound telnet's from/to certain pairs.
(2) Not allow ANY inbound connections, other than those that are proxy
controlled (ftp, telnet responses, etc).
(3)   RPC?  Over the 'Net?  I think I stop that at my firewall.

Yes, an internal 'doctored' telnet that can negotiate proxies to an
outside 'doctored' telnetd, and has, say Kerberos tickets, can present
a problem.

A more real problem is a person with a FAX modem (or similiar) who set's it up
to autoanswer and run, say "PC-Anywhere" with no passwords (because he doesn't
want to fill out paper work to use the prescribed method - modems with
single-use tokens and auditing). Scanning for modems is an old trick.

When you have a company-wide dialup service, you need to also have
a policy prohibiting going around it and appropriate punishment for
violating this.  For .com, dismissal is appropriate.  For .edu, some
discipline or removal of priviledge is appropriate.  For .mil, take em
out and shoot 'em (Just kidding, mr pataki!).

The point is you must have policy and punishment outlined first, before you
catch someone with unauthorized software/hardware on their (company owned)
machine.  You must make it easier/less risky to use the proper techniques.

Also, if someone is caught walking with a backup tape or floppy, and
that's not okay, they're gone.  They have also signed a statement that
says you can go search their house and beat their loved ones - if it's
that big a concern (although, why can they get to a tape/floppy drive
in the first place).  - You DO encrypt your backups, don't you?

The scenario of doom above is possible, but not as simple as you make it
sound if you have a firewall policy of "that which is not explicitly
permitted, is prohibited" (thanque mjr) and a good firewall.


chuck yerkes
consultant
-------------------------------
I speak not for my client; I usually don't subscribe to my own opinions.

Follow-Ups:

Re: FW: PC Take-Over -- reply
From: Don Krapf <dkrapf @ access . digex . net>

Indexed By Date	Previous:	Re: Email monitoring From: Reto Lichtensteiger <rali @ hri . com>
Indexed By Date	Next:	Audit Trail for AIX From: "Vincent Yau" <vyau @ ortel . com>
Indexed By Thread	Previous:	Re: FW: PC Take-Over -- reply From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Indexed By Thread	Next:	Re: FW: PC Take-Over -- reply From: Don Krapf <dkrapf @ access . digex . net>