In general, any Application Layer Gateway (ALG) firewall, or any firewall that has a true http proxy, will only allow sessions on port 80 that are actually http. Some examples of ALG's are Gauntlet and Raptor. An example of a firewall that is not an ALG but that does support a true http proxy is FW-1. (PIX does not have a true http proxy)
Unfortunately, the problem is worse than you describe. There are programs that actually use legitimate http protocol calls to tunnel other traffic, such as httptunnel. There are other programs that use ICMP echo-request and echo-reply (Loki and icmptunnel) and at least one implemenation of a tunnel using DNS request/replies: http://online.securityfocus.com/archive/1/8990 In practice, it is very difficult, though not impossible, to detect these sorts of programs with current FW and IDS systems, mostly due to the number of false pos's your likely to get and the amount of processing that has to be done on the payload in each packet. However, using a good proxy is at least a starting point and raises the bar for an attacker. Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of exchange Sent: Thursday, May 02, 2002 10:34 AM To: [EMAIL PROTECTED] Subject: Closing Ports Part 2 [7:43145] I know blocking ports isn't really going to stop people who can tunnel through via http or some other open ports. Are there firewalls that will look into specific traffic streams and drop connections that are not really http sessions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43508&t=43145 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
