Hi Jonas, I didn't explain well... L7 filtering is easily defeated by SSL-wrapping any TCP-service on 443 port so you can install a SSL'rized SSH or Squid server (for instance) on that port and use it to freely surf the net :) Your firewall will only see aparently-legit SSL connections to an aparently-legit destination port (443). Hacker win, admin loose :-)
I repeat it: I don't know of any solution able to defeat this and would like to know if you have some idea to detect these more-or-less "advanced" bypass cases. Kind regards. Jonas Andradas escribió: > For Layer-7 filtering, you could check > > Application Layer Packet Classifier for Linux: > http://l7-filter.sourceforge.net/ > > Kernel Iptables Layer 7: http://l7-filter.sourceforge.net/HOWTO-kernel > > > > On Dec 14, 2007 6:53 PM, Roman Medina-Heigl Hernandez <[EMAIL PROTECTED]> > wrote: >> Willi Mann escribió: >> >> If you want to permit HTTPS, you have to allow CONNECT to (at least) >> 443/tcp. So it's easy to tunnel through that port and get a "clean" >> internet connection. >> >> I don't know of any solution (level 7 filtering, etc) able to defeat this >> kind of tricks. -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
