[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[linux-security] Re: IP Filters and Masq: precisions


On Fri, 07 Aug 1998 11:17:31 -0400, Mailing Lists wrote:

>for a hacker to directly connect to one of my protected computers from the
>outside.  Can a java or activeX applet do the thrick?  Or if a computer
>from the inside initiate a connexion to some.evil.org, can this host piggy
>backs the link and access the computer from which the connection was
>initially made?  That's the kind of questions I'm asking myself and haven't
>seen any answers about them.  Some friend of mine says he heard of a way to
>circumvent a masq firewall and access a computer inside, but that's as far
>has he remembers.

If you can get an internal machine to make an arbitrary connection to
you through a masquerading firewall, then you can use that connection
to do whatever you want.  So, yes, Java or Active-X could feasibly be
used to circumvent a masq firewall.  Once the outgoing connection has
been made there is a way to talk back to the internal machine, so it is
possible that something other than what you expected could be passed
through it.  However, assuming no security problem with the
applications you are running on the inside, then you should be as safe
as with an alternative firewall.  Equally, you should probably firewall
incoming packets from the outside so that you are only accepting the
minimum... After all, if nobody needs to telnet into your firewall from
outside, why give them the chance?  If they can telnet into the
firewall, they then have full access to the internal network.  

Hopefully this makes sense,
	Adam Morris
- --
Adam Morris  --  Onyx Internet  --  Systems Engineer
http://www.onyx.net   e-mail: Adam Morris onyx net
vox: +44 (0)1642 216200          fax: +44 (0)1642 216201
* * If the message isn't signed it probably isn't me * *

Version: 2.6.3ia
Charset: cp850


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]