[Sysadmins] Firewalls.

Alan Doherty alan at alandoherty.net
Tue Mar 16 02:12:41 GMT 2010


sorry mis-subjected the last one and forgot to add

{sometimes exceptions to this exist, like early gen2 {probably now fixed} XP based M$ windows defender that ignored proxy settings and failed to update if direct port 80 wasn't possible, in this case allowing and not alarming on port 80 to that 1 destination/range was the simple fix

and with all these suggestions they only work in an environment where the software is known/understood and relatively static, so when new versions are found to cause false positives filters can be immediately altered to suit, or software can be "educated" to conform to policy, or alarming can be altered to distinguish between blocked but known-safe software, and everything else

{examples are some add supported but allowed games that try to direct http to the add-servers, so the add servers become non-alarm raising http destinations, whether policy is to allow or block}

At 12:00 15/03/2010  Monday, sysadmins-request at lists.stdlib.net wrote:
>Date: Sun, 14 Mar 2010 19:24:38 +0000
>From: FRLinux <frlinux at gmail.com>
>Subject: Re: [Sysadmins] Firewalls.
>To: Irish System Adminstrators discussion <sysadmins at lists.stdlib.net>
>Message-ID:
>        <a8139f991003141224o35c03380j226c17f0b98bc2b4 at mail.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On Sun, Mar 14, 2010 at 2:03 PM, Alan Doherty <alan at alandoherty.net> wrote:
>> I use squid internally directly configured in users browser {transparent proxy is i find counterproductive as you help-proxy malware too, and cant detect/distinguish between configured clients and un configured clients{potential malware}
>
>Mmmh, care to detail on that one?

well its as it says, most Trojans will attempt a direct port 80 to command&control/update-server if http-capable
before failing back to using browser proxy {as they know most proxies are used to provide better logging/filtering} and would prefer to use direct http if possible

thus they raise an alarm on the firewall {once, un repeated usually}
no browser will ever attempt direct connect if proxy configured 
{thus no legit software triggers alarms except for new installs {which are expected} that need configuring after opening}

if you transparent proxy, legit and non-legit softwares traffic is intercepted and proxied so no way to distinguish or alarm on attempts to bypass proxy
you might spot the malware in the logs but good luck identifying it in a busy environment

obviously in a heavy IT based house new-installs are frequent so its less useful, but on a brokers premises or an accountants its pretty clear cut trojan{or other non-trojan but non IT approved/installed software} sign to see an attempt to port 80 outbound from a desktop that is configured to use the proxy




More information about the Sysadmins mailing list