Domain: detached.net
Stories and comments across the archive that link to detached.net.
Comments · 7
-
application-level firewalls are pointless
Egress filtering. Application-level firewalls. This is EXACTLY what they exist for.
Sadly, they exist more to make a quick buck by giving ignorant admins a false sense of security.
Transports which tunnel through the HTTP application layer (not just SSH on port 80) using fully obscured forms of encryption are prevalent and readily available to the non-technical PC user. Such applications are very popular in Saudi Arabia and China, for example, primarily because there are presently no proxies capable of blocking them.
As soon as such proxies appear, the HTTP application layer tunnels will implement polymorphic protocols. There is no hint of evidence that the proxies have any chance of keeping up.
It is well known in the steganography community that any open channel, even email, is transparently insecure. Unless such channels are closely monitored by a professional cryptoanalyst, there is no chance that they can reliably prevented from carrying unwanted traffic.
-
Re:Limit outbound encrypted traffic? Damn straight
No really, blocking SSH/ESP and tracking HTTPS is a reasonable suggestion -- if anything, I'd say the above doesn't go far enough.
Reasonable? Pointless.
Applications which tunnel through the HTTP application layer (not just SSH o port 80) using fully obscured forms encryption are prevalent and readily available to the non-technical PC user. Such applications are very popular in Saudi Arabia and China, for example. Primarily because there are, at this time, no proxies capable of blocking them.
And as soon as such proxies appear, the HTTP application layer tunnels will go polymorphic in their protocols. There is no hint of evidence that the proxies have any chance of keeping up.
It is well-known to the steganography community that any open channel, even email, are insecure. Unless such channels are closely monitored by a professional cryptographer, there is no chance that they can reliably be monitored to prevent unfriendly traffic.
-
Why blocking ICMP echo and destination unreachable
At the end of the article, they recommend blocking some ICMP messages and mention echo reply and request, and destination unreachable...
Blocking ICMP destination unreachable of type fragmentation needed will give a hard time to PMTU discovery (eg. Linux, FreeBSD, any OS with a decent TCP/IP stack).
Why would you want to do that ? Are there any exploits using ICMP ? I know you can tunnel stealthily using ICMP, but any protocol can be used as tunnel...
90% of ICMP should not be blocked IMHO.
-
Mailtunnel
It's not really a covert channel, but Mailtunnel lets you send IP packets via Internet mail messages, which is an equally twisted way of getting data from A to B.
-
Re:This has a cost - higher in europe
Yes, the SMS services of GSM used to be free, back when it was almost unused and there were no gateways from the internet. I once had an almost continuous stream of messages going back and forth between a few phones as a security service, probably sent 39K messages total in 3 months. Remember the TCP over email tunnel? I had just started coding an IP over SMS driver for linux when SMS charges started. But now almost all GSM providers charge for SMS, and especially SMS email gateway functions, either for a fixed number per month or per message.
Belgacom and Proximus have anti-spam features in place on their internet --> SMS gateways, and are starting to block thousands of messages per day from spammers. They both block all messages from UUNET and AOL and a few other well known spam relays, and don't even bother to look for legitimate messages from there. There are hundreds of 'trigger' mailboxes of dead numbers that nobody should be sending messages to, which is a good method of stopping spam pretty quickly before the customer service lines start to light up.
France telecom (itineris) have no such protection measures in place except for extremely rude and untrained front line customer reps. But the SMS service is now an opt-in pay up front service, so very few mailboxes are actually enabled. But for those who have the email --> SMS gateway paid for, expect a few spam messages per week. This is outlawed in france, but there is no enforcement because france telecom refuses to track down the sources. Most of the french spam comes from within france, and is for french businesses, so it wouldn't be very hard to find them and make a few examples.
the AC -
vpnstarter over ssh is a workable vpn solutionMY company is running this for several remote sites and it works well. Basically you need a linux box at each location to act as a firewall/router/vpn connection. You then set up an ssh user who can get in to the main site using rsa public/private keys.
vpnstarter can be used to initiate the tunnel over ssh and monitor the link. Works well, although vpnstarter cna be a pain to set up properly.
So, open source vpn solutions do exist now, and they do work.
-
Geez...
Not even 12 hours has gone by, and I've already got a use for the mail tunneling protocol posted earlier.